WhatsApp is a popular chat/video messaging service with over 500,000,000 downloads in Google Play.
Package name: com.whatsapp
Files of interest:
- /files/
- Avatars/
- me
- me.jpeg
- /shared_prefs/
- RegisterPhone.xml
- VerifySMS.xml
- /databases/
- msgstore.db
- wa.db
- /sdcard/WhatsApp/
- Media/
- Databases/
The /files/avatars directory contains thumbnails of the profile pictures of contacts that use the app, and me.jpg is a full-size version of the user's profile picture. The me file contains the phone number associated with the account.
The phone number associated with the account can also be recovered in /shared_prefs/RegisterPhone.xml. The /shared_prefs/VerifySMS.xml file shows the time that the account was verified (in Unix epoch format, of course), indicating when the user first began using the app.
The msgstore.db database, like it sounds, contains messaging data:
|
Table |
Description |
|
chat_list |
The key_remote_jid column shows each account the user has communicated with; the value in the table is the remote user's phone number. For example, if the value is [email protected], the remote user's number is 1-321-867-5309. |
|
group_participants |
Contains metadata about group chats. |
|
messages |
Shows all message data. Once again, the key_remote_jid field identifies the remote sender. The key_from_me value indicates the direction of the message (0=received, 1=sent). The data column contains the text of messages, and timestamp is the sent or received time in Linux epoch format. For attachments, media_mime_type identifies the file format; the media_size and media_name columns should be self-explanatory. If the attachment had a caption, the text would be shown in the media_caption column. If the attachment was a location, the latitude and longitude columns will be populated appropriately. The thumb_image column has a lot of useless data in it, but also contains the path of the attachment on the device. The raw_data column contains thumbnails for images and videos. |
The wa.db database is used to store contact information:
|
Table |
Description |
|
wa_contacts |
Like other apps, WhatsApp scrapes and stores the user's entire phonebook, and stores the information in its own database. It contains the contact's name and phone number, as well as a status if that contact is a WhatsApp user. |
The SD card is a treasure trove of WhatsApp data. The /sdcard/WhatsApp/Media folder contains a folder for each type of media (Audio, Calls, Images, Video, and Voice Notes), and stores all attachments of that type in the folder. Sent media is stored in a directory called, unimaginatively, Sent. Received media is simply stored in the root of the folder.
The Databases directory is an even greater source of information. WhatsApp makes a backup of msgstore.db nightly, and stores the backups here. This allows an examiner to see historical data that may have been deleted; if I delete a chat today, but you look at a backup from yesterday, you'll be able to access the data I deleted. The app is even kind enough to put the date in the filename, for example: msgstore-2018-12-12.1.db.crypt12. The only catch is that these backups are encrypted!