I am currently investigating WhatsApp activity on an iPhone 6 (iOS 11.0.3, WA 2.17.80). For this case the user interaction with the phone and the WhatsApp application is of importance. Therefore I decided to analyse the WhatsApp log-files, which hold loads of interesting data (unfortunately only dating back a few days).
There are however a few elements which are not clear to me and I was wondering if someone here has more experience with this
For one, there seem to be two types of log files
- Files named like "whatsapp-2017-11-22-11-59-28-982-WhatsApp-419-launch.log"
- Files named like "whatsapp-2017-11-21-17-48-01-243-WhatsApp-418.log"
I am now wondering when the 'launch' logs are created. Are they created when the app is 'launched' by the user? Or is there another reason?
When viewing log files, it is often possible to determine when the device was locked or unlocked. This is however not always very clear. For instance2017-11-22 115928.388 [3284062] [main-thread ] [-] LL_A* app/did-finish-launching
The above entries state 'appdelegate/device-unlocked', which would lead to believe that the lock screen is not active. However a little further down there is an entry 'appdelegate/protected-data-available/0', which indicates protected data (the one behind the lock screen) is not available.
2017-11-22 115928.391 [3284062] [main-thread ] [-] LL_A* app/memory System [Used 3105MB, Free 300MB] Process [13MB]
2017-11-22 115928.410 [3284062] [main-thread ] [-] LL_A* defer/begin/in-background
2017-11-22 115928.412 [3284062] [main-thread ] [-] LL_A* assetslibrary//save-media/defer-began
2017-11-22 115928.459 [3284062] [main-thread ] [-] LL_A* appdelegate/device-unlocked
2017-11-22 115928.460 [3284062] [main-thread ] [-] LL_A* appdelegate/chat-database-unlocked
2017-11-22 115928.462 [3284062] [main-thread ] [-] LL_A* appdelegate/protected-data-available/0
Does anyone have an explanation for this?
(There are log entries where 'protected-data' is indicated as 1, and where I am sure the device was unlocked).
Also, in the above snippet is an entry 'app/did-finish-launching'. Whats does this indicate exactly?
On a related note, I have also been looking at the 'ChatStorage.sqlite' database. There is a table 'ZWAMESSAGE' which contains the actual chats. In this table there is a column 'ZMESSAGESTATUS', which I presume indicates whether messages have been received/read/… Does anyone have an overview of the meaning of these statuses? My own research indicates following possibilities
- 1 Message send, but not received by other party
- 6 Message send and received by other party, but not read
- 8 Message send, received and read
Does anyone know of the other statuses and also how to connect them to timestamps? I assume they can be correlated to the 'ZWAMESSAGEINFO' table somehow.
Thanks already!
For informations about locked/unlocked screen
adb logcat -b system -b events -v time –d > logcat.txt
For informations about locked/unlocked screen
adb logcat -b system -b events -v time –d > logcat.txt
On iOS/iPhone? 😯
jaclaz
Oh my..
Excuse me. I was lil bit in hurry and did not read it precisely.. Of course that works just for Android.
But on iOS there are OS-sided logs too where u can find those kind of informations.