Getting to Grips with Android WhatsApp Forensics

WhatsApp’s global popularity and the widespread use of Android mobile devices have made it a key source of evidence in many investigations.

When you need to examine Android WhatsApp, mobile forensics tools can assist in acquiring application data from a device and organizing app-related findings. However, a deeper understanding of how WhatsApp stores data on devices is also important. It can help you validate findings and uncover additional information beyond what tools offer.

This article delves into forensically significant aspects of WhatsApp, covering the app’s files of interest on Android devices and exploring the databases.

Key Features of WhatsApp for Forensic Analysis

Initially designed to showcase user status updates, WhatsApp evolved into a full-fledged messenger. Present-day WhatsApp can be used for one-to-one and group chats involving:

  • Text messages
  • Media files like pictures, videos, audio, and documents
  • Location pins and live locations
  • Contact cards

WhatsApp messages can be starred, edited, and deleted. Users can also set messages to disappear from selected chats after a specified time. The WhatsApp status has evolved into several one-way communication features:

  • The multimedia status, lasting 24 hours
  • Channels for posting content for a group of followers
  • The broadcast feature, allowing messages to be sent to multiple conversations individually

The application also supports VoIP and video calls and conferences. In some countries, it can even be used for payments. With such diverse features, WhatsApp users leave behind digital traces that offer insights into their connections, interactions, behaviors, locations, and more.

Additionally, a single WhatsApp account can be used across multiple devices, aiding in identifying additional devices involved in account usage.

Android WhatsApp Files of Interest

Android WhatsApp files that contain forensically relevant information reside in the device file system. To obtain them, you need specialized digital forensics software that enables you to copy the application resource folder which stores app files and databases in an unencrypted format. Let’s look into the files that can help you during an investigation.

Databases

On Android devices, WhatsApp stores account data in several SQLite databases and their transactional files located in the application resource folder ..\data\data\com.WhatsApp\databases.

Key databases containing forensically relevant information include:

  • companion_devices.db: Contains information about other devices linked to the account
  • wa.db: Includes names of contacts, group chats, channel names, and other details
  • msgstore.db: Contains records of calls, message texts, and other information exchanged in conversations (e.g., locations, media file names)

Configuration File

In ..\data\data\com.WhatsApp\shared_prefs, the com.whatsapp_preferences_light.xml file stores account settings and timestamps of various application events enclosed in XML tags.

Some tags that may provide insights for investigations include:

  • <string name=”registration_jid”/>: WhatsApp account owner’s registration phone number
  • <string name=”my_current_status”/>: Account’s “About” information at the time of acquisition
  • <string name=”gdrive_account_name”/>: Google Account email address used for cloud backups
  • <long name=”gdrive_last_successful_backup_timestamp:account@gmail.com” value=”0000000000000″/>: UTC timestamp of the last cloud backup in Unix format

Backup Encryption Key

WhatsApp encrypts and decrypts database backups with a key file generated when the user authenticates in the app with their phone number. This file can be found in ..\data\data\com.WhatsApp\files.

Media Files

WhatsApp saves exchanged media files in backup folders created on the device. They are located in ..\Android\media\com.whatsapp\WhatsApp\Media. Other media files, like contact avatars, are part of the application resource folders under ..\data\data\com.WhatsApp\files.

Android WhatsApp Databases

companion_devices.db

Let’s begin exploring WhatsApp data with the companion_devices.db that reveals devices connected to a WhatsApp account through the linking functionality. It can help identify additional devices used by the account owner and their approximate location. It can also contribute to a timeline of events.

wa.db

The information on contacts of an Android WhatsApp account is part of the wa.db database. Let’s look into its main tables of interest.

wa_contacts: this table provides information about the account owner’s contacts and groups. Various types of contact records are available, such as @broadcast for broadcast groups, @s.whatsapp.net for one-to-one chats, @g.us for group chats, and @newsletter for channels.

wa_bloc_list: Offers insights into unwanted contacts in the user’s list, including the blocked contact’s internal WhatsApp ID indicated by @lid.

wa_group_admin: Provides information about the admins of group chats where the user participates.

msgstore.db

When it comes to exploring Android WhatsApp user’s conversations, msgstore.db is the primary source of data.

Key columns in the message table include:

  • chat_row_id: Chat where a message was exchanged (serves as the foreign key to the _id column in the chat table that includes details of the chats)
  • sender_jid_row_id: Contact that sent the message (serves as the foreign key to the _id column in the jid table that contains contact IDs)
  • from_me: Identifies whether a message is incoming or outgoing
  • message_type: Numeric type of data the message includes
  • timestamp: Unix timestamp (UTC) of when the message was sent or received
  • text_data: text of the exchanged message
  • starred: indicates if the user bookmarked the message

Other tables store additional details of non-text messages, like message_location for geolocation data, message_media for paths to exchanged files, and message_vcard for details of exchanged contact cards.

The message_add_on table stores details of messages that received reactions, were edited, or marked to be kept in disappearing chats.

The message_quoted table helps identify if a message in a chat was sent as a reply to another message. If the quoted messages include additional data like media files, locations, and other content, this information is stored in other tables such as message_quoted_media, message_quoted_text, message_quoted_location, and others. The “message_quoted” tables are especially noteworthy as they retain the contents of deleted messages that someone quoted before they were wiped.

Call records can be found in the call_log table.

Conclusion

This article has examined important aspects of Android WhatsApp for forensic analysis, concentrating on the app’s databases and files on Android devices. By exploring key databases like companion_devices.db, wa.db, and msgstore.db, and understanding the encryption key and media files, we’ve discovered valuable insights that can assist you in creating timelines, identifying connections, and extracting vital evidence.

With this knowledge of navigating Android WhatsApp data, you can expand your search and discover more sources of information for your investigations.