Fortunately for us, Forensic Focus has an excellent article on doing exactly this: http://articles.forensicfocus.com/2014/10/01/decrypt-wechat-enmicromsgdb-database/.
They even provide a Python script to do the work for us: https://gist.github.com/fauzimd/8cb0ca85ecaa923df828/download#.
To run the Python script, simply put the EnMicroMsg.db file and the system_config_prefs.xml files in the same directory as the script and, in the command line, type the following:
python fmd_wechatdecipher.py
The script will then prompt you for the IMEI of the device. This can be found in the /MicroMsg/CompatibleInfo.cfg file, printed somewhere on the device (behind the battery, on the SIM card tray, or etched onto the back of the device are common locations), or typing *#06# in the keypad.
The script should run, and place a file called EnMicroMsg-decrypted.db in the directory.
We can now examine EnMicroMsg-decrypted.db:
|
Table |
Description |
|
ImgInfo2 |
Contains path information for sent and received images. The bigImgPath column contains the filename for the image; this can be searched on the SD card to find the picture. Alternatively, images are stored in the /sdcard/tencent/MicroMsg/*/image2 directory in folders that correspond to the filename. For example, the 3b9edb119e04869ecd7d1b21a10aa59f.jpg file can be found in the image2 directory in the /3b/9e path. The folders are broken down by the first two bytes of the name, then the second two bytes of the name. thumbImgPath contains the name of thumbnails for the images. |
|
message |
Contains all message information for the app. The isSend column indicates the message direction (0 = received, 1 = sent). The createTime table is the timestamp of the message, in Linux epoch format. The talker column contains a unique ID for the remote user, this can be correlated with the rcontact table to identify the remote user. The content column shows the data of messages sent as text, and identifies video calls as voip_content_voice. imgPath contains the path to image thumbnails, which can be correlated with the ImgInfo2 table to locate the full-sized images. It also includes file names for audio files, which can be searched for or located in the /sdcard/tencent/MicroMsg/*/voice2 directory. |
|
rcontact |
Contains a list of contacts, and includes many that are added by default by the app. The username can be correlated with the talker column in the message table. The nickname column shows the user's name. The type column is an indicator of whether the contact was added manually or automatically (1 = device user, 3 = added by user, 33 = added by app). The exception to this is the weixin user, which is automatically added, but has a type value of 3. |
|
userinfo |
This table contains info about the user, including name and phone number. |