No way to recover L...
 
Notifications
Clear all

No way to recover Line or WeChat deleted chat messages

13 Posts
7 Users
0 Likes
2,433 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

WeChat 6.x and Line 5.3 or above add a new feature called "True Delete", that means deleted chat messages will no longer exist. When Chat Apps start to wipe deleted messages, it will be impossible to recover deleted messages, no matter what forensic tools(UFED,XRY,Oxygen…) you use won't be able to recover "wiped" deleted messages.

What should we do under these circumstances? Hope Suspects forget to delete chat messages, and hope there are lots of backups on their computers and in the Cloud.

 
Posted : 08/10/2015 8:12 pm
Logan
(@logan)
Posts: 66
Trusted Member
 

Have you tested this? I mean, it would be interesting to see whether these records could actually be recovered from a physical read of the device from previous versions of the database.

 
Posted : 09/10/2015 12:37 pm
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Thank you for the interesting info! We will check it asap. Sometimes mobile app developers claim that they encrypt or delete data for ever but in reality the records are still available in the database and can be extracted.

 
Posted : 09/10/2015 12:58 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you guys. Several cases recently has proved this issue, and unfortunately we did not recover deleted messages by top commercial mobile forensic tools.

As I know, Naver Line is very serious this time. Line 5.3 and above add two new features "True Delete" and "Letter Sealing".
You guys could take a look at Line Engineer's blog
http//developers.linecorp.com/blog/?p=3660

WeChat 6.x achieves "True Delete" earlier than Line 5.3. We do worry about this "True Delete" will be a standard feature for most Chat Apps.

I'd appreciate your providing us with any information about the possibility to recover WeChat 6.x and Line 5.3 or above deleted chat messages.

 
Posted : 09/10/2015 1:53 pm
XRY_Mike
(@xry_mike)
Posts: 28
Eminent Member
 

Gorvq7222,

It will be interesting to see if that is true. XRY v6.15 has verified support for

- WeChat (6.2.4.51_rdf8da56) on Android
- WeChat (6.2.5) on iOS
- WeChat (6.0.6) on Windows

Please check the results as you may be able to challenge that claim.

XRY can decode deleted SQLite data from unallocated clusters to recover deleted WeChat data. It offers you the option to carve out deleted SQLite app data from a physical extraction of wither a EXT or FAT partition.

(Note this can take some time).

 
Posted : 09/10/2015 1:57 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Hi XRY_Mike,

I did use XRY or UFED to recover Line or WeChat deleted chat messages before, but now I could find those deleted messages. If Line or WeChat did wipe those deleted chat messages, absolutely nothing could be found…because those deleted message were overwritten, no longer exists.

Please kindly help us to identify whether Line or WeChat wipe deleted messages or not, lots of forensic guys will need to know what's going on and how to handle this situation. Thank you again.

 
Posted : 10/10/2015 6:59 pm
(@droopy)
Posts: 136
Estimable Member
 

I read the line True Delete method.
In really, you could recover previous byte state using a goverment forensic software and hardware, so it is possible to read the data even if the database adds zeros like LINE.
This is not a cheap solution or free, but it is possible to read at least 2 or 3 previous byte status.

Regards,
Droopy

 
Posted : 12/10/2015 5:28 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I read the line True Delete method.
In really, you could recover previous byte state using a goverment forensic software and hardware, so it is possible to read the data even if the database adds zeros like LINE.
This is not a cheap solution or free, but it is possible to read at least 2 or 3 previous byte status.

Regards,
Droopy

Really? 😯
How do you know?
Does this apply only to bytes related to Wechat and Line or does it apply to *any* byte?

jaclaz

 
Posted : 12/10/2015 12:15 pm
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

Thank you guys. We always say that Forensic is a strict science, so we should let the evidence speak for itself. Let's see if we could reocver Line 5.3 and above deleted chat messages or not. You guys could take a look at my blog as below, and now my Line version is 5.5.1, let's see what will happen.
http//www.cnblogs.com/pieces0310/p/4873173.html

Where are those deleted chat messages? Unfortunately they are gone~ "Wiped" means zero out and those deleted chat messages will no longer exist.

Look at "Blocks containing deleted data", those deleted chat messages were wiped and so we can do nothing about wiped data.

If wiped out deleted chat messages becomes a standard feature for those popular chat Apps, that will be a nightmare to forensic guys.

 
Posted : 12/10/2015 8:02 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

One technique I have employed to "recover" deleted data from smartphones is making sure to look at Mobile Backups on workstations and in the cloud.

On a recent Pro-Bono case, my client's 14 year old deleted key text messages and photos of abuse of the 14 year old's 7 year old younger brother by their father from the mother's iPhone one week before my attorney client was scheduled to go before the judge.

Fortunately, my client (the mother) had iCloud backups of the phone from December of 2014 which did include the text messages deleted from the iPhone itself.

Normally, my understanding is that Apple's iCloud only keeps three days worth of mobile backups per iDevice, meaning if iCloud backup is turned on, then the oldest iCloud-stored mobile backup will be overwritten by today's newly created iCloud mobile backup.

However, in the case of my client, we were very lucky that she happened to turn off iCloud backups after the creation of the December 2014 mobile backup, such that the December 2014 mobile backup had not been overwritten at the time I used Elcomsoft's Phone Breaker tool to download it.

Also, I believe that, but have not tested it, that historical iTunes created mobile backups stored on workstations could contain data deleted from more recently created iTunes created mobile backups.

So, my advice, and I am sure I am stating the obvious, is to not just focus on the physical phone itself to the exclusion of other potential sources of evidence.

Do Line and WeChat have workstation versions that could contain SQLite databases that might differ from the Line/WeChat installation on a related user's smartphone?

 
Posted : 13/10/2015 2:11 am
Page 1 / 2
Share: