ABSTRACT: This is a procedure for locating and parsing deleted messages timestamps in Android WhatsApp database.
I did a little reverse engineering, using the hexadecimal tool of Physical Analyzer (UFED by Cellebrite), of the database of the popular messaging app WhatsApp for Android, because P.A. 3.8.6 does not display deleted messages WhatsApp, at least on Android 4.1.2 on my Samsung S3.
The database type is SqlLite 3.0 and is located in :
Before the acquisition by UFED Physical Touch of my Samsung S3 with Android 4.1.2, I proceeded to delete two (the first and the third) messages in a conversation from my WhatsApp.
After the acquisition I obtained the file DumpData.bin, I open msgstore.db with the hex file viewer and I searched for the keywords of the deleted messages, getting a hex dump like this (the picture is not the editor PA):
The message consists of the sender’s number, followed by a number, which represents the date without the correct time, this number is the Unix Epoch Time, that is the number of seconds since 00:00:00 on 01/01/1970, with a simple conversion with programs like DCode or http://www.epochconverter.com/, we can see that the number: 1385911713 converted in date format is 01 Dec 2013 at 15:28:33, then the time is not accurate.
We have to find the date and time (timestamp) for this message, so doing a little testing and comparing with the messages not deleted, we find that the first six (6) bytes after the end of the message text, representing the timestamp with the date and time correct.
Indeed we collect the following 6 bytes of the first message :
01 42 AE FF E8 20 and 01 42 AF 1F BA 5F, then we convert them into decimal with a calculator and then we convert the number in Milliseconds Unix Time, in fact here is the timestamps in milliseconds and not seconds, then we set DCode in UTC +1 (we are in Italy and in winter time UTC +1).
Same procedure for the other message :
We can conclude that after having removed the two messages deleted, we have obtained the sender, the recipient, the text and the right timestamp.
This procedure works only if we find junk into the database and its focus is on the timestamp discovery.
Nanni Bassetti, Digital Forensics Expert, C.A.IN.E. Linux forensic distro project manager, founder of CFI – Computer Forensics Italy, mailing list specialized in digital forensics topics, codeveloper of SFDumper and founder of the web site http://scripts4cf.sf.net.
Personal website: http://www.nannibassetti.com – e-mail: [email protected]