ndroid WhatsApp Blog

Investigating Android WhatsApp

23/02/2024 Friday

WhatsApp is a cross-platform application owned by Facebook. The platform supports sending and receiving text and voice messages, photos, documents, videos, and locations. Android WhatsApp provides all these features along with voice and video calls for one-to-one chats and group chats.

Digital Forensics Value of Android WhatsApp

Since its early beginnings and till today, WhatsApp remains the market leader and one of the top-ranking messaging applications globally. According to its official website, Android WhatsApp has more than 2 billion users in over 180 countries. Given its widespread popularity, Android WhatsApp is considered a significant source of evidentiary information in most investigations.

Location of Android WhatsApp Artifacts

Android WhatsApp artifacts can be found at the following locations::
data/com.whatsapp/databases/msgstore.db
data/com.whatsapp/databases/wa.db
ddata/com.whatsapp/shared_prefs/com.whatsapp_preferences_light.xml

Structure of Android WhatsApp Artifacts

Most WhatsApp artifacts are maintained within SQLite databases which have the same structure in most of the versions; however, the WhatsApp settings artifact is kept in an XML file.

Analyzing Android WhatsApp Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Android WhatsApp artifacts from Android device files and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android WhatsApp artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android WhatsApp App artifact in ArtiFast.

Android WhatsApp Text Messages Artifact

Time: Date/Time message was sent.
Participant Name: The name of the message participant.
Message ID: The message ID.
Chat ID: The chat ID.
Starred: Indicates whether the message is starred.
Participant JID: The message participant JID.
Is Broadcast Message: Indicates whether the message was a broadcast message.
Message Body: Message content.
Is forwarded: Indicates whether the message was forwarded.
Received Date/Time: Date/Time message was received.
Server Received Date/Time: Date/Time message was received on the server.
Message Type: The message type.
Status: The status of the message.
Direction: Indicates whether the message was outgoing or incoming.
Origin: The origin of the message.

Android WhatsApp Contacts Artifact

Title: Contact title.
Given Name: The contact's given name.
WhatsApp Name: The contact’s WhatsApp name.
Nickname: The contact’s nickname.
Status Last Update Time: Date and time the contacts last updated their status.
Photo Last Update Time: Date and time the contacts last updated their photo.
Company: The contact’s company.
Status: The contact’s status.
Is WhatsApp User: Indicates whether the contact is a WhatsApp user or not.
Contact Number: The contact’s phone number.
Contact ID: Contact ID.
Family Name: Contact family name.
Unseen Message Count: The unseen message count.
Contact Type: Contact type.
Is Spam Reported: Indicates whether the contact was reported spam or not.

Android WhatsApp Calls Artifact

Time: Date/time the call was made.
Call Type: Indicates whether the call was a video or an audio call.
Status: Indicates the status of the call (answered, declined, or missed).
Direction: Indicates whether the call was incoming or outgoing.
Duration: The call duration in seconds.
Group: The group name.
Caller: The caller's name.
Call ID: The call ID.
Received Date/Time: Date and time the call was received.

Android WhatsApp Group Chat Sessions Artifact

Time: Group creation date/time.
Group JID: The Group JID.
Creator: Group creator’s user ID.
Group Name: The group name.
Last Message Sent Date/Time: Last message sent date and time.
Hidden: Indicates whether the group is hidden or not.
Unseen Missed Calls Count: The unseen missed calls count.
Archived: Indicate whether the group is archived or not.
Chat ID: The chat ID.
Display Message ID: The display message ID.
Last Read Message ID: The last read message ID.

Android WhatsApp Location Messages Artifact

Time: Date/Time message was sent.
Participant Name: The name of the message participant.
Message ID: The message ID.
Chat ID: The chat ID.
Starred: Indicates whether the message is starred.
Participant JID: The message participant JID.
Is Broadcast Message: Indicates whether the message was a broadcast message.
Message Body: Message content.
Is forwarded: Indicates whether the message was forwarded.
Received Date/Time: Date/Time message was received.
Server Received Date/Time: Date/Time message was received on the server.
Message Type: The message type.
Status: The status of the message.
Direction: Indicates whether the message was outgoing or incoming.
Origin: The origin of the message.
Thumbnail (Base64): The message thumbnail.
Duration Live Location Shared: The duration the live location was shared.
Longitude: The longitude.
Latitude: The latitude.
Final Live Latitude: The live location's final latitude.
Final Live Latitude: The live location's final longitude.
Is Live: Indicates whether the location was live location or not.

Android WhatsApp Individual Chat Sessions Artifact

Time: The last message sent date and time.
Hidden: Indicates whether the group is hidden or not.
Unseen Missed Calls Count: The unseen missed calls count.
Archived: Indicate whether the group is archived or not.
Display Message ID: The display message ID.
Chat ID: The chat ID.
Last Read Message ID: The last read message ID.

Android WhatsApp Video Messages Artifact

Time: Date/Time message was sent.
Participant Name: The name of the message participant.
Message ID: The message ID.
Chat ID: The chat ID.
Starred: Indicates whether the message is starred.
Participant JID: The message participant JID.
Is Broadcast Message: Indicates whether the message was broadcast message.
Message Body: Message content.
Is forwarded: Indicates whether the message was forwarded.
Received Date/Time: Date/Time message was received.
Server Received Date/Time: Date/Time message was received on the server.
Message Type: The message type.
Status: The status of the message.
Direction: Indicates whether the message was outgoing or incoming.
Origin: The origin of the message.
Thumbnail (Base64): The message thumbnail.
Duration: The video duration.
Mime Type: The media Mime type.
Media Hash: The media hash.
File Path: The media file path.
Transferred: Indicates whether the media was transferred or not.
Media Caption: Media Caption.
URL: The media URL.
Media Size: The media size.

Android WhatsApp Photo Messages Artifact

Time: Date/Time message was sent.
Participant Name: The name of the message participant.
Message ID: The message ID.
Chat ID: The chat ID.
Starred: Indicates whether the message is starred.
Participant JID: The message participant JID.
Is Broadcast Message: Indicates whether the message was broadcast message.
Message Body: Message content.
Is forwarded: Indicates whether the message was forwarded.
Received Date/Time: Date/Time message was received.
Server Received Date/Time: Date/Time message was received on the server.
Message Type: The message type.
Status: The status of the message.
Direction: Indicates whether the message was outgoing or incoming.
Origin: The origin of the message.
Thumbnail (Base64): The message thumbnail.
Mime Type: The media Mime type.
Media Hash: The media hash.
File Path: The media file path.
Transferred: Indicates whether the media was transferred or not.
Media Caption: Media Caption.
URL: The media URL.
Media Size: The media size.

Android WhatsApp Settings Artifact

Status Message: The user’s status message.
Wi-Fi Auto Download: Whether the auto download is allowed using Wi-Fi.
Roaming Auto Download: Whether the auto download is allowed while roaming.
Cellular Auto Download: Whether the auto download is allowed using cellular.
WhatsApp Version: WhatsApp version.
Display Name: Display name.
Phone Number: User’s phone number.
WhatsApp Identifier: User’s WhatsApp identifier.
Is Read Receipt: Whether read receipt is allowed.