Hello everyone, I'm using Cellebrite's latest Physical Analyzer (version 3.9.8.7) to analyze a Samsung Galaxy Note 3 mobile phone. The mobile phone forensic image was acquired by Cellebrite UFED Touch (again, using the latest firmware "Cellebrite Ufed Setup 3.0.9.2 Generic_UFED (Fat).exe.cpkg").
The Physical Analyzer successfully carve out the Whatsapp messages, but failed to display the emoji (e.g. smiling face, angry face, etc). All it shows is a square, instead of the emoji.
Also, the suspect has sent/received some photos using Whatsapp but the Physical Analyzer can only show the 'thumbnail' (i.e. a 100 x 75 pixel picture) which is too small for investigator to see clearly.
Does anyone know how to use Cellebrite Physical Analyzer to carve out those emoji, as well as the original photos that were sent/received?
Appreciate your help!
Thanks,
Cypri
I can't speak to Cellebrite's data recovered but the msgstore.db is where WhatsApp stores all the messages including thumbnails of the pictures which is likely where Cellebrite is pulling the data from. I would check elsewhere on the phone for copies of the pictures either in the gallery or camera folders for the matching full size picture if it was downloaded or taken with the camera. The msgstore.db also contains a web link for each photo that is stored on whatsapp.net but you likely need the app or at least the keys to access the web link.
As for the emoticons, it's just likely that Cellebrite hasn't got a listing of all the possible emoticons for the app which is pretty common since there could be tons of these and many of them are downloadable add-ons. I would check the raw data and do some testing to verify which emoticon it is if it's important to your case, otherwise you can just note that an emoticon was sent.
You could also check the /data/data/com.whatsapp/files folder for some extra info there if the other locations don't pan out.
Hope that helps.
Dear mcman,
Thanks for your advice. Really appreciate.
I can see that the messages and the thumbnail are from that whatsapp db. However, how do I check the original location of that photo which the thumbnail is representing?
There are more than 30,000 photos from the cellphone and I'm wondering whether there's any quicker way to identify the original photo rather than going through all of them manually.
Thanks again for your advice.
Best regards,
Cypri
There are more than 30,000 photos from the cellphone and I'm wondering whether there's any quicker way to identify the original photo rather than going through all of them manually.
I am not sure to understand the question. ?
Cannot you run one (among the many) "similar" or "duplicate" image finder?
Example (Free)
https://
jaclaz
I've had very good success using other forensic tools to examine .bin images created by UFED, and specifically around Whatsapp.
My tool of choice is Xways but EnCase should be able to achieve similar results if that's what you use.
Whatsapp messages have unique text at the beginning of every message so using a keyword search will reveal those messages the UFED has already identified, and likely a few more that it couldn't see. You can use the same approach for the attachments if you know the file name.
Thanks everyone for your tips and advices. Let me try to use EnCase to read the UFED bin file and see if I have any luck.
Many thanks again!
best regards,
Cypri
)
you should find "s.whatsapp.net" at the beginning of every message.
The sending phone number will preceed that text and the username with be appended to the end….at least that was the case with my matter.
Good luck!
Thanks again everyone for the tips and advices.
I managed to access those sql lite databases and saw the messages there. However, some of the emoji are still showing up as a square.
would you advise me on how to recover those emoji ?
Many thanks again.
Best regards,
Cypri
Sorry, I have no advice regarding the emoji, not something I've had to try and do yet.
Given what the emoji are is there a reason to think they may be relevant? Or are you just trying to cover all bases in case they are custom symbols that may add context?
I, too, am wondering what could be so important about emojis. Just curious …