07.11.2019

WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts

Igor Mikhailov
Digital forensic analyst at Group-IB Laboratory of Computer Forensics and Malicious Code Research
If you are keen to know what kinds of forensic WhatsApp artifacts exist in different operating systems and where exactly they can be found, you have come to the right place. This post is focused on WhatsApp forensics and what data can be obtained from a device during forensic analysis.

We should note at the outset that operating systems differ in the types of artifacts they contain, so extracting certain types of WhatsApp data from one device does not automatically mean that the same data can be extracted from another device. For instance, if you have a desktop computer running Windows, you are unlikely to find WhatsApp chats on its disks (the exception will be iOS backup copies). Laptops and mobile devices, on the other hand, have their own peculiarities. Let's discuss this topic in more detail.
WhatsApp artifacts on Android devices
To extract WhatsApp artifacts from an Android device, an investigator needs to have superuser privileges (root) or be able to extract a physical memory dump of the file system by other means (for example, using software vulnerabilities of a particular device).

The application's files are located in the memory of the phone in the section where user data is stored. As a rule, this section is called Userdata. Subdirectories and program files are located under the path /data/data/com.whatsapp/.
The wa.db and msgstore.db databases are the main files that contain WhatsApp artifacts on Android.

The wa.db database contains a full list of the WhatsApp user's contacts, including phone numbers, display names, timestamps, and any other information mentioned upon registering in WhatsApp. The wa.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the wa.db database for forensic investigators are:
wa_contacts
This table contains information about WhatsApp contacts, such as contact ID, status, display name, timestamps, etc. Screenshot of the table:
Table structure:
sqlite_sequence
This table contains information about the number of contacts.

android_metadata
This table contains information about WhatsApp language localization.

The msgstore.db database contains information about sent messages, such as contact number, message content, status, timestamps, information about attached files, etc. The msgstore.db file is located under the path /data/data/com.whatsapp/databases/ and has the following structure:
The most interesting tables in the msgstore.db file for forensic investigators are:

sqlite_sequence
This table contains general information about the database, for instance, the total number of stored messages, total number of chats, etc. Screenshot of the table:
  • message_fts_content
Contains the content of messages. Screenshot of the table:
  • messages
This table contains information, such as contact number, message body, status, timestamps, and information about attached files. Screenshot of the table:
Table structure:
This list of fields is not exhaustive. Different versions of WhatsApp may have or lack some of the fields. Additionally, there may be the fields media_enc_hash, edit_version, payment_transaction_id, etc.
  • messages_thumbnails
This table contains information about transferred images and timestamps. The timestamp column shows time in the Unix Epoch Time (ms) format.
  • chat_list
This table contains information about chats. Screenshot of the table:
In addition, when examining WhatsApp on an Android device, take note of the following files:

  • msgstore.db.cryptXX (where XX is one or two digits from 0 to 12, for example, msgstore.db.crypt12). The file contains an encrypted backup copy of WhatsApp messages (backup of the msgstore.db file). The msgstore.db.cryptXX file (or files) is located under the path /data/media/0/WhatsApp/Databases/ (virtual SD card) and /mnt/sdcard/WhatsApp/Databases/ (physical SD card).
  • The key file contains a cryptographic key and is located under the path /data/data/com.whatsapp/files/. It is used for decrypting encrypted WhatsApp backup copies.
  • The com.whatsapp_preferences.xml file contains information about the WhatsApp profile and is located under the path /data/data/com.whatsapp/shared_prefs/.
File fragment:

\<?xml version="1.0" encoding="ISO-8859-1"?> … <string name="ph">9123456789</string> (the phone number which was associated with the WhatsApp account) … <string name="version">2.17.395</string> (WhatsApp version) … <string name="my_current_status">Hey there! I am using WhatsApp.</string> (the message is showing in the WhatsApp user's account) … <string name="push_name">Alex</string> (The username of the Whatsapp account's owner)
  • The registration.RegisterPhone.xml file contains information about the phone number associated with the WhatsApp account and is located under the path /data/data/com.whatsapp/shared_prefs/.
File contents:

<?xml version="1.0" encoding="ISO-8859-1"?> <map> <string name="com.whatsapp.registration.RegisterPhone.phone_number">9123456789</string> <int name="com.whatsapp.registration.RegisterPhone.verification_state" value="0"/> <int name="com.whatsapp.registration.RegisterPhone.country_code_position" value="-1"/> <string name="com.whatsapp.registration.RegisterPhone.input_phone_number">912 345-67-89</string> <int name="com.whatsapp.registration.RegisterPhone.phone_number_position" value="10"/> <string name="com.whatsapp.registration.RegisterPhone.input_country_code">7</string> <string name="com.whatsapp.registration.RegisterPhone.country_code">7</string> </map>
• The axolotl.db file contains cryptographic keys and other data required for identifying the account owner. The file is located under the path /data/data/com.whatsapp/databases/.

• The chatsettings.db file contains application configuration information.

• The wa.db file contains contact details, which are very informative and interesting from a forensic perspective. It can reveal information about deleted contacts.

Make sure to examine the following directories:

/data/media/0/WhatsApp/Media/WhatsApp Images/. Contains transferred graphics files.

/data/media/0/WhatsApp/Media/WhatsApp Voice Notes/. Contains voice messages in the .opus format.

/data/data/com.whatsapp/cache/Profile Pictures/.
Contains graphics files: contacts' profile pictures.

/data/data/com.whatsapp/files/Avatars/.
Contains graphics files: thumbnails of contacts' profile pictures. These files have the .j extension, but are actually JPEG (JPG) files.

/data/data/com.whatsapp/files/Avatars/.
Contains graphics files: the profile picture and its thumbnail set as an avatar by the account owner.

/data/data/com.whatsapp/files/Logs/.
Contains a program operation log (the whatsapp.log file) and backup copies of program operation logs (files with the names in the format whatsapp-yyyy-mm-dd.1.log.gz).


WhatsApp log files:
Log content:

2017-01-10 09:37:09.757 LL_I D [524:WhatsApp Worker #1] missedcallnotification/init count:0 timestamp:0
2017-01-10 09:37:09.758 LL_I D [524:WhatsApp Worker #1] missedcallnotification/update cancel true
2017-01-10 09:37:09.768 LL_I D [1:main] app-init/load-me
2017-01-10 09:37:09.772 LL_I D [1:main] password file missing or unreadable
2017-01-10 09:37:09.782 LL_I D [1:main] statistics Text Messages: 59 sent, 82 received / Media Messages: 1 sent (0 bytes), 0 received (9850158 bytes) / Offline Messages: 81 received (19522 msec average delay) / Message Service: 116075 bytes sent, 211729 bytes received / Voip Calls: 1 outgoing calls, 0 incoming calls, 2492 bytes sent, 1530 bytes received / Google Drive: 0 bytes sent, 0 bytes received / Roaming: 1524 bytes sent, 1826 bytes received / Total Data: 118567 bytes sent, 10063417 bytes received
2017-01-10 09:37:09.785 LL_I D [1:main] media-state-manager/refresh-media-state/writable-media
2017-01-10 09:37:09.806 LL_I D [1:main] app-init/initialize/timer/stop: 24
2017-01-10 09:37:09.811 LL_I D [1:main] msgstore/checkhealth
2017-01-10 09:37:09.817 LL_I D [1:main] msgstore/checkhealth/journal/delete false
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkhealth/back/delete false
2017-01-10 09:37:09.818 LL_I D [1:main] msgstore/checkdb/data/data/com.whatsapp/databases/msgstore.db
2017-01-10 09:37:09.819 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager 16384 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list _jobqueue-WhatsAppJobManager-journal 21032 drw=011
2017-01-10 09:37:09.820 LL_I D [1:main] msgstore/checkdb/list axolotl.db 184320 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-wal 436752 drw=011
2017-01-10 09:37:09.821 LL_I D [1:main] msgstore/checkdb/list axolotl.db-shm 32768 drw=011
2017-01-10 09:37:09.822 LL_I D [1:main] msgstore/checkdb/list msgstore.db 540672 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-wal 0 drw=011
2017-01-10 09:37:09.823 LL_I D [1:main] msgstore/checkdb/list msgstore.db-shm 32768 drw=011
2017-01-10 09:37:09.824 LL_I D [1:main] msgstore/checkdb/list wa.db 69632 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-wal 428512 drw=011
2017-01-10 09:37:09.825 LL_I D [1:main] msgstore/checkdb/list wa.db-shm 32768 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db 4096 drw=011
2017-01-10 09:37:09.826 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-wal 70072 drw=011
2017-01-10 09:37:09.827 LL_I D [1:main] msgstore/checkdb/list chatsettings.db-shm 32768 drw=011
2017-01-10 09:37:09.838 LL_I D [1:main] msgstore/checkdb/version 1
2017-01-10 09:37:09.839 LL_I D [1:main] msgstore/canquery
2017-01-10 09:37:09.846 LL_I D [1:main] msgstore/canquery/count 1
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery/timer/stop: 8
2017-01-10 09:37:09.847 LL_I D [1:main] msgstore/canquery 517 | time spent:8
2017-01-10 09:37:09.848 LL_I D [529:WhatsApp Worker #3] media-state-manager/refresh-media-state/internal-storage available:1,345,622,016 total:5,687,922,688
/data/media/0/WhatsApp/Media/WhatsApp Audio/ Contains received audio files.

/data/media/0/WhatsApp/Media/WhatsApp Audio/Sent/ Contains sent audio files.

/data/media/0/WhatsApp/Media/WhatsApp Images/ Contains received graphics files.

/data/media/0/WhatsApp/Media/WhatsApp Images/Sent/ Contains sent graphics files.

/data/media/0/WhatsApp/Media/WhatsApp Video/ Contains received video files.

/data/media/0/WhatsApp/Media/WhatsApp Video/Sent/ Contains sent video files.

/data/media/0/WhatsApp/Media/WhatsApp Profile Photos/ Contains graphics files associated with the WhatsApp account owner.

To save memory space on an Android device, some of the WhatsApp data may be stored on an SD card. In its root, the SD card may have the WhatsApp directory, where the following artifacts can be found:
Share (/mnt/sdcard/WhatsApp/.Share/) Contains copies of files that have been sent to other WhatsApp users.

Trash (/mnt/sdcard/WhatsApp/.trash/) Contains deleted files.

• Databases (/mnt/sdcard/WhatsApp/Databases/) Contains encrypted backup copies. They can be decrypted using the key file extracted from the memory of the device.


Files located in the Databases subdirectory:
Media (/mnt/sdcard/WhatsApp/Media/) Contains the subdirectories WallPaper, WhatsApp Audio, WhatsApp Images, WhatsApp Profile Photos, WhatsApp Video, and WhatsApp Voice Notes, which store received and sent multimedia files (graphics, videos, audio messages, photos associated with the WhatsApp account owner, and wallpapers).

Profile Pictures (/mnt/sdcard/WhatsApp/Profile Pictures/) Contains graphics files associated with the WhatsApp account owner's profile.

• Sometimes the SD card may have a files directory (/mnt/sdcard/WhatsApp/Files/), which contains files that store program settings and user preferences.
Data storage in some mobile devices
In some mobile devices running Android, WhatsApp artifacts can be stored in a different location. This is because the device's system software can change the storage space of application data. For example, Xiaomi mobile devices have a feature called Second Space, which is designed for creating a second workspace on the device. When this feature is activated, the location of data changes. So, while a regular Android device stores user data in the /data/user/0/ directory (which is a link to the usual /data/data/), the second workspace stores application data in /data/user/10/. Let us compare where wa.db is located:

• Regular Android smartphone: /data/user/0/com.whatsapp/databases/wa.db (which is equivalent to /data/data/com.whatsapp/databases/wa.db)

• Xiaomi Second Space: /data/user/10/com.whatsapp/databases/wa.db.
WhatsApp artifacts in iOS devices
Unlike Android OS, in iOS, WhatsApp data is transferred to a backup copy (iTunes backup), which means that extracting data from the app does not require extracting the file system or creating a physical memory dump. Most of the relevant information is stored in the ChatStorage.sqlite database, which is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/ (in some programs this path is displayed as AppDomainGroup-group.net.whatsapp.WhatsApp.shared).

ChatStorage.sqlite structure:
The most informative parts of the ChatStorage.sqlite database are the ZWAMESSAGE and ZWAMEDIAITEM tables.

Screenshot of the ZWAMESSAGE table:
Screenshot showing what happens after a phishing page is opened
Structure of the ZWAMESSAGE table:
Screenshot of the ZWAMEDIAITEM table:
Structure of the ZWAMEDIAITEM table:
Other interesting tables in the ChatStorage.sqlite database are:

ZWAPROFILEPUSHNAME. Associates WhatsApp ID with a contact name

ZWAPROFILEPICTUREITEM. Associates WhatsApp ID with a contact's avatar

Z_PRIMARYKEY. Contains general information about the database, such as the total number of stored messages, total number of chats, etc.

In addition, when examining WhatsApp on an iOS mobile device, take note of the following files:

BackedUpKeyValue.sqlite Contains cryptographical keys and other data required for account owner identification. It is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.

ContactsV2.sqlite Contains information about user contacts, such as names, phone numbers, contact statuses (as text), WhatsApp ID, etc. It is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.

consumer_version Contains WhatsApp version number and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/.

current_wallpaper.jpg Contains current WhatsApp background wallpapers and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/. Older versions of the app use the wallpaper file, which is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.

blockedcontacts.dat Contains information about blocked contacts and is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/.

pw.dat. Contains an encrypted password and is located under the path /private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/.

net.whatsapp.WhatsApp.plist (or group.net.whatsapp.WhatsApp.shared.plist). Contains information about the WhatsApp profile and is located under the path /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Library/Preferences/.
Contents of the group.net.whatsapp.WhatsApp.shared.plist file:
Make sure to also examine the following directories:

  • /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/Media/Profile/ Contains thumbnails of contacts and groups (files with the .thumb extension), contact avatars, and the WhatsApp account owner's avatar (the Photo.jpg file).

  • /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/ Message/Media/ Contains multimedia files and their thumbnails.

  • /private/var/mobile/Applications/net.whatsapp.WhatsApp/Documents/ Contains a program operation log (the calls.log file) and backup copies of program operation logs (the calls.backup.log file).

  • /private/var/mobile/Applications/group.net.whatsapp.WhatsApp.shared/stickers/ Contains stickers (the .webp files).

  • /private/var/mobile/Applications/net.whatsapp.WhatsApp/Library/Logs/ Contains program operation logs.
WhatsApp artifacts in Windows
WhatsApp artifacts in Windows can be found in several places. Most importantly, these are directories that contain executable and auxiliary files (for Windows 8/10):

\Program Files (x86)\WhatsApp\

\Users\%User profile%\ AppData\Local\WhatsApp\

\Users\%User profile%\ AppData\Local\VirtualStore\ Program Files (x86)\WhatsApp\

The \Users\%User profile%\ AppData\Local\WhatsApp\ directory stores the SquirrelSetup.log log file, which contains information about checks for updates and program installation.

The \Users\%User profile%\ AppData\Roaming\WhatsApp\ directory has several subdirectories:
Structure of "domain" subfolder
The main-process.log file contains information about WhatsApp's operation.

The databases subdirectory contains Databases.db. This file, however, does not have any information about chats or contacts.

The most interesting files from a forensics perspective are those found in the Cache directory. These are files with the name f_******* (where * is a number from 0 to 9) containing encrypted multimedia files and documents. Some of them, however, can be unencrypted. The most interesting files here are data_0, data_1, data_2, and data_3, which are located in the same subdirectory. These files contain external links to encrypted transferred multimedia files and documents.

Example of information contained in the data_1 file:
data_3 can also contain graphics files.

data_2 contains contact avatars (they can be restored by searching for file headers).

Avatars contained in data_2:
Screenshot of the content of the phishing kit file, which sends stolen credentials to the threat actor's email address
Chats cannot be found in computer memory. What can be found, however, is:

• multimedia files

• documents transferred via WhatsApp

• contact information about the account owner
WhatsApp artifacts in MacOS
MacOS has WhatsApp artifacts similar to those found in Windows OS.

For oldest versions MacOS, the program's files are located in the following directories:

\Applications\WhatsApp.app

\Applications\._WhatsApp.app

\Users\%User profile%\Library\Preferences

\Users\%User profile%\Library\Logs\WhatsApp

\Users\%User profile%\Library\Saved Application State\WhatsApp.savedState

\Users\%User profile%\Library\Application Scripts

\Users\%User profile%\Library\Application Support\CloudDocs

\Users\%User profile%\Library\Application Support\WhatsApp.ShipIt

\Users\%User profile%\Library\Containers\com.rockysandstudio.app-for-whatsapp

\Users\%User profile%\ Library\ Mobile Documents\ <text variable> WhatsApp\ Accounts
This directory contains subdirectories whose names are phone numbers associated with the WhatsApp account owner.

\Users\%User profile%\Library\Caches\WhatsApp.ShipIt\
This directory contains information about the installation of the program.

\Users\%User profile%\Pictures\ iPhoto.photolibrary\Masters\; C:\Users\%User profile%\Pictures\iPhoto.photolibrary\Thumbnails\
These directories contain the program's service files, including photos and thumbnails of WhatsApp contacts.

•\Users\%User profile%\Library\Caches\WhatsApp\
This directory only contains several SQLite databases, which are used for data caching.

•\Users\%User profile%\Library\Application Support\WhatsApp\

This directory contains several subdirectories:
Screenshot of the threat actor's account on safeskyhacks.com underground forum
  • \Users\%User profile%\Library\Application Support\WhatsApp\Cache\ The directory contains the files data_0, data_1, data_2, data_3 as well as files with the names f_******* (where * is a number from 0 to 9). For information about what kind of data is stored in these files, see the "WhatsApp artifacts in Windows" section of this article.

  • \Users\%User profile%\Library\Application Support\WhatsApp\IndexedDB\ The directory can contain multimedia files (without extensions).

  • The main-process.log file contains information about WhatsApp's operation.

Since OS X Yosemite the artefacts may be located in new places:

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\Preferences

\Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Logs\WhatsApp

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Saved Application State\desktop.WhatsApp.savedState

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Scripts

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\iCloud

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\IndexedDB The directory can contain multimedia files (without extensions).

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\GPUCache

  • \Users\%User profile%\Library\Containers\desktop.WhatsApp\Data\Library\Application Support\WhatsApp\Cache The directory contains the files with the names f_******* (where * is a number from 0 to 9). For information about what kind of data is stored in these files, see the "WhatsApp artifacts in Windows" section of this article.

Sources

1. Forensic analysis of WhatsApp Messenger on Android smartphones, by Cosimo Anglano, 2014.

2. Whatsapp Forensics: Eksplorasi sistem berkas dan basis data pada aplikasi Android dan iOS by Ahmad Pratama, 2014.