Received/Send WhatsApp files with Windows Phone 8.1
I am examing a Lumia 630 (RM-976) with Windows Phone 8.1, relating to WhatsApp.
WhatsApp is located at the typical path for Windows Phones. I've got there the "…/LocalState/Shared/Transfer/" path, which includes all the received and send images (in subdirectories like "/YEAR_nr/").
I noticed that those files either ends with "-i" or "-o" like bin1234-ABCD-i. The associated messages.db does not exist anymore.
Luckily i found another messages.db with some (unrelevant) chats and send/received files. There are two very interesting columns "KeyFromMe" and "WantsReceipt". What i found out
all files in "…/LocalState/Shared/Transfer/…/" which ends with "-i" does have the values KeyFromMe = 0 and WantsReceipt = 1
all files in "…/LocalState/Shared/Transfer/…/" which ends with "-o" does have the values KeyFromMe = 1 and WantsReceipt =0
So i think, that files with "-i" suffix are reived files (-i = -incoming?) and files with "-o" are send files (-o = outgoing?).
Can someone confirm that? Is a file like "…/LocalState/Shared/Transfer/YEAR_nr/bin1234-ABCD-i" definitely a reveived and with "…/LocalState/Shared/Transfer/YEAR_nr/bin1234-ABCD-o" a send one?
I found this old paper (2014) about WhatsApp forensics with android devices. On page 14 there is a explanation for "key_from_me" on android devices.