Locating WhatsApp Artifacts in Web/Desktop Clients
This is my first post on Forensic Focus. I recently graduated with a M.S. degree in IT with a concentration in Cyber Forensics (if anyone is interested in hiring a recent grad with over two years of experience with digital forensics, PM me!). For my thesis I investigated which artifacts remain on desktop clients (Windows and Mac) when you use WhatsApp either as the application you install or when you use it on a web browser (Chrome, Firefox, Safari).
Thought I might share my findings since I haven't been able to find an answer to this online. Hopefully this can help somebody out!
I'd suggest just skipping to chapter four (Results). These are the main findings
-WhatsApp creates a log file in every client I investigated. Within this log file you can find timestamps of user actions (e.g., sent/received messages, profile modification, contacted numbers), mobile client device information (e.g., make, model, OS version, build number), and browser user agent information. I'd like to point out that only timestamps are saved in the log file and not actual content (e.g., a photo or the text conversation).
-Profile pictures of the user, group chats, and other contacts are cached in different clients.
-This might not be new but its also worth mentioning you can take a look at the WhatsApp application run or visited URL date/time/count by inspecting prefetch files and the browser's history file.
I am planning on eventually turning this thesis into an article. In the meantime you can find it in the link below
Let me know if you have any questions.
Thats are normal log files of the application running for debbuging, nothing really important.
Also original whatsapp on android and iphone have same log file.
if you need more info about advanced whatsapp forensic contact me (crypt12 decryption without key, protocol interception, etc.)
Unfortunately, whatsapp is now vulnerable and not secure.