Friday, August 9, 2019

WhatsApp - Images and Messages - An overview

WhatsApp - Images and Messages - An overview

So many good questions from my colleagues. E.g.
- What happens if someone deletes a message, can we recover it?
- What happens when a picture is sent and than deleted?
- If a picture is stored in the WhatsApp Media Image folder, what does this mean? Was it sent? Was it received? Was it created by the device within WhatsApp?

I decided to test this stuff with my test smartphone and write my results down here. This post shall give a first overview. I want to take deeper look especially on the recovery of deleted messages in the future.

The environment

My test device and the used versions:

Samsung Galaxy S6 (SM-G920F)
Android 7
WhatsApp Version 2.19.150

The pathes:

The media file path of WhatsApp on the test device is:

/sdcard/WhatsApp/Media/

The path for the images is:
/sdcard/WhatsApp/Media/WhatsApp Images

Timestamps

Before I start with the images and messages one short sentence about the timestamps of the messages and the images:

Messages: The timestamps of the messages are in UTC and the time comes from the server side. It is not important what time the device has. And, you cannot use WhatsApp if your time is not synced with the world time. At least I was not able to do it.

Images: The timestamps of the images in the filesystem are mostly close to their sending/receiving time. This is because normally when you receive an image it is automatically stored in that moment to the filesystem. Same when sending/taking an image with WhatsApp.
Restriction: If the device is not in a local network and automatic download is not activated the timestamp of the image could be different. But I've not tested it yet!

Images

What does it mean if an image is only stored in the subfolder Sent in the WhatsApp Image folder?
The path:
/sdcard/WhatsApp/Media/WhatsApp Images/Sent

The image was sent via WhatsApp but not created via WhatsApp.   


What does it mean if an image is stored in both folders, the subfolder Sent and the WhatsApp Images folder (same hash values/content)?
The pathes:
/sdcard/WhatsApp/Media/WhatsApp Images/Sent
/sdcard/WhatsApp/Media/WhatsApp Images

The image was created/taken directly in the WhatsApp Application and than sent via WhatsApp.


What does it mean if an image is only stored in the WhatsApp Images folder?


The path:
/sdcard/WhatsApp/Media/WhatsApp Images

The image was received by WhatsApp. The image and the thread that contains it must not be actively viewed by the user.
Restriction: I've tested this with W-LAN activated, so the image is automatically downloaded.
It is possible that the user forwarded the picture. It would than not be duplicated into the Sent folder.


What happens if the user deletes the last message for everyone that includes an image?

On the phone that received the image the image will be deleted in the filesystem and the message will be deleted in the database.

On the phone of the sending person the image in the Sent folder will be deleted, the image in the media folder (if the image was created by WhatsApp) will remain. The message will be deleted in the database.

Messages


The messages was deleted by the sender for everyone. You get a message on your phone in WhatsApp like the one in the following picture.

In the database the message content is empty.
The sender has something like in the following image on his phone:

In the database the message content is empty.

Where can you possibly find the content of this message?

1. WAL-File: In the Write Ahead Lookup file of msgstore.db you can still find the message. I want to analyze in detail for how long this is possible and I will show the content in more detail in my next post.
2. Backup: If there was a WhatsApp-Backup between the arrival of the message and the deletion you can find the deleted messages in the backup. 

 

The receiver deletes the message on his phone (for himself). Where can you find the message now?

Things to mention additionally:
1. The receiver can only delete the message on his own phone, not for everyone.
2. The message is completed gone in the thread in WhatsApp and in the database. So you need to know that there was a message, you cannot see any trace of it in the database or the thread.

1. WAL-File: In the Write Ahead Lookup file of msgstore.db you can still find the message. I want to analyze in detail for how long this is possible and I will show the content in more detail in my next post.
2. Backup: If there was a WhatsApp-Backup between the arrival of the message and the deletion you can find the deleted messages in the backup. 


The sender deletes a messages on his phone (for himself). Where can you find the message now?

Things to mention:
The sender could first delete the message for everyone and than delete this message only on his phone. Then the trace in the thread and in the database is gone. You would need to know that there was a message so you could than take a look into the following locations.

1. WAL-File: In the Write Ahead Lookup file of msgstore.db you can still find the message. I want to analyze in detail for how long this is possible and I will show the content in more detail in my next post.
2. Backup: If there was a WhatsApp-Backup between the sending of the message and the deletion you can find the deleted messages in the backup.


Conclusion

1. If a user deletes the message on his own phone for himself you would not see any hint that there were a message.

2. Deleted messages could be recovered from the WAL file or the backup. The WAL file won't store the data forever. Same for the backup but the time frame is larger than by the WAL file.

3. At least I was not able to recover a message directly in the database, only in the WAL file.

===========
EDIT 2019/08/11:
I tried to recover the messages with Oxygen Forensics SQLite Viewer, UFED PA and sqlparse from https://github.com/mdegrazia/SQLite-Deleted-Records-Parser/releases. All of them were not able to recover the message.
When using a Hex Editor and searching for the content of the message in the database I was not able to find the string. That's why I think the message content is overwritten in the database the moment the user deletes the message in WhatsApp.
===========


4. The location of a picture in the WhatsApp Media folder structure gives a hint how the picture was handled/generated with WhatsApp. For a detailed view one should look into the database itself, if possible.

Next steps 

I would like to know for how long (how many messages) I am able to recover a message from the WAL file. I need to take a deeper look into this.
I just started with the book "SQLite Forensics" from Paul Sanderson. I'm sure the knowledge in it will help me with this.

I've read about notification logs in Android that could additionally store the content of a message. I will take a deeper look into the system logs and try to find more information.


4 comments:

  1. Did you check freelists for deleted chats? Belkasoft can recover them out of the box.

    ReplyDelete
    Replies
    1. Hey Yorik, thx for your question.
      I checked unused pages with Oxygen Forensics SQLite Viewer.
      Also let Cellebrite PA try to recover the chat, without positive result. And I tried the script sqlparse.py from Mari deGrazia, also without a positive result.

      Because the message itself (without the content) is still in the database when deleting a message I think the content of the message is just overwritten by zeroes. This would mean that the page wouldn't be freed and so cannot be found in the freelist of the sqlite db.

      I will add this info to the post so one knows what I have tried to recover the deleted message.

      Thx.

      Delete
  2. Great work. Have you any conclusions yet on how long or how far back deleted messages remain in the WAL file?

    ReplyDelete
    Replies
    1. Hey there. Unfortunately I did not have any time to do a in depth analysis.
      In my daily work I could see that it really depends on how many new entries are generated by Whatsapp (e.g. new messages). The more new entries are generated the higher the probability that the deleted messages are gone.

      Delete