I am working on a case where data sent using the WhatsApp application constitutes a critical part of the case. I have come across an issue with the naming of some of the media that was sent using this application. I used CeleBrite UFED 4PC for data acquisition and UFED Physical Analyzer to do my analysis.
By default a video file sent will have a name for example VID-20160913-WA0001.mp4, this will be sync with the current date. However on analyzing the data, I am seeing a video file with the name VID_20150417_WA0031_2.mp4 and this file was sent on 20150604. I observe that the dates are not sync and WhatsApp normally does not use underscore nor attach another string to the consecutive number. I am not sure why this is happening and I am unable to find a theory for this occurrence.
Is anyone able to explain why these inconsistencies exist.
I can't explain the inconsistency but I would suggest that you view the DB in an SQLite viewer to see what the raw data says.
Depending on the version and platform you could have messages in one table and attachments in another - if a join has been made incorrectly (more likely when recovering deleted data) then this might explain the inconsistency.
Likewise there are often a number of dates associated with a message - sent, received and server can be present iirc - I dont know which of these, if any, would be used to generate the timestamp associated with the file name. But might be worth a look and may help explaining what is going on.
Also have you looked at what happens if a recived file is forwarded/copied within WA?
My Forensic Browser for SQLite is available here along with a link for a fully functional demo
http//
Cheers
Paul
I can't explain the inconsistency but I would suggest that you view the DB in an SQLite viewer to see what the raw data says.
Threadjacking a bti here but the problem I am finding with iOS devices and the likes of Telegram and WhatsApp lately is that I can't actually get to the DB. Media's trivial though…