±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 33838
New Yesterday: 2 Visitors: 214

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WhatsApp Log file analysis

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

WhatsApp Log file analysis

Post Posted: Wed Apr 11, 2018 7:48 am

I am currently investigating WhatsApp activity on an iPhone 6 (iOS 11.0.3, WA 2.17.80). For this case the user interaction with the phone and the WhatsApp application is of importance. Therefore I decided to analyse the WhatsApp log-files, which hold loads of interesting data (unfortunately only dating back a few days).

There are however a few elements which are not clear to me and I was wondering if someone here has more experience with this:

For one, there seem to be two types of log files:
- Files named like "whatsapp-2017-11-22-11-59-28-982-WhatsApp-419-launch.log"
- Files named like "whatsapp-2017-11-21-17-48-01-243-WhatsApp-418.log"
I am now wondering when the 'launch' logs are created. Are they created when the app is 'launched' by the user? Or is there another reason?

When viewing log files, it is often possible to determine when the device was locked or unlocked. This is however not always very clear. For instance:
2017-11-22 11:59:28.388 [3284062] [main-thread   ] [-] LL_A* app/did-finish-launching
2017-11-22 11:59:28.391 [3284062] [main-thread   ] [-] LL_A* app/memory: System [Used 3105MB, Free 300MB] Process [13MB]
2017-11-22 11:59:28.410 [3284062] [main-thread   ] [-] LL_A* defer/begin/in-background
2017-11-22 11:59:28.412 [3284062] [main-thread   ] [-] LL_A* assetslibrary//save-media/defer-began
2017-11-22 11:59:28.459 [3284062] [main-thread   ] [-] LL_A* appdelegate/device-unlocked
2017-11-22 11:59:28.460 [3284062] [main-thread   ] [-] LL_A* appdelegate/chat-database-unlocked
2017-11-22 11:59:28.462 [3284062] [main-thread   ] [-] LL_A* appdelegate/protected-data-available/0
The above entries state 'appdelegate/device-unlocked', which would lead to believe that the lock screen is not active. However a little further down there is an entry 'appdelegate/protected-data-available/0', which indicates protected data (the one behind the lock screen) is not available.
Does anyone have an explanation for this?
(There are log entries where 'protected-data' is indicated as 1, and where I am sure the device was unlocked).

Also, in the above snippet is an entry 'app/did-finish-launching'. Whats does this indicate exactly?

On a related note, I have also been looking at the 'ChatStorage.sqlite' database. There is a table 'ZWAMESSAGE' which contains the actual chats. In this table there is a column 'ZMESSAGESTATUS', which I presume indicates whether messages have been received/read/... Does anyone have an overview of the meaning of these statuses? My own research indicates following possibilities:
- 1: Message send, but not received by other party
- 6: Message send and received by other party, but not read
- 8: Message send, received and read
Does anyone know of the other statuses and also how to connect them to timestamps? I assume they can be correlated to the 'ZWAMESSAGEINFO' table somehow.

Thanks already!  


Re: WhatsApp Log file analysis

Post Posted: Mon Apr 16, 2018 1:51 am

For informations about locked/unlocked screen:

adb logcat -b system -b events -v time –d > logcat.txt  


Re: WhatsApp Log file analysis

Post Posted: Mon Apr 16, 2018 2:40 am

- Plan_B
For informations about locked/unlocked screen:

adb logcat -b system -b events -v time –d > logcat.txt

On iOS/iPhone? Shocked

- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: WhatsApp Log file analysis

Post Posted: Mon Apr 16, 2018 6:53 am

Oh my..

Excuse me. I was lil bit in hurry and did not read it precisely.. Of course that works just for Android.

But on iOS there are OS-sided logs too where u can find those kind of informations.  


Page 1 of 1