Data Recovery, E-Discovery, Mobile Devices

WhatsApp – discovering timestamps of deleted messages

ABSTRACT:  This is a procedure for locating and parsing deleted messages timestamps in Android WhatsApp database.

I did a little reverse engineering, using the hexadecimal tool of Physical Analyzer (UFED by Cellebrite), of the database of the popular messaging app WhatsApp for Android, because P.A. 3.8.6 does not display deleted messages WhatsApp, at least on Android 4.1.2 on my Samsung S3.

The database type is SqlLite 3.0 and is located in :

\data\com.whatsapp\databases\msgstore.db

Before the acquisition by UFED Physical Touch of my Samsung S3 with Android 4.1.2, I proceeded to delete two (the first and the third) messages in a conversation from my WhatsApp.

After the acquisition I obtained the file DumpData.bin, I open msgstore.db with the hex file viewer and I searched for the keywords of the deleted messages, getting a hex dump like this (the picture is not the editor PA):

Image

The message consists of the sender’s number, followed by a number, which represents the date without the correct time, this number is the Unix Epoch Time, that is the number of seconds since 00:00:00 on 01/01/1970, with a simple conversion with programs like DCode or http://www.epochconverter.com/, we can see that the number: 1385911713 converted in date format is 01 Dec 2013 at 15:28:33, then the time is not accurate.

We have to find the date and time (timestamp) for this message, so doing a little testing and comparing with the messages not deleted, we find that the first six (6) bytes after the end of the message text, representing the timestamp with the date and time correct.
Indeed we collect the following 6 bytes of the first message :
01 42 AE FF E8 20 and 01 42 AF 1F BA 5F, then we convert them into decimal with a calculator and then we convert the number in Milliseconds Unix Time, in fact here is the timestamps in milliseconds and not seconds, then we set DCode in UTC +1 (we are in Italy and in winter time UTC +1).

Image

Same procedure for the other message :

Image

We can conclude that after having removed the two messages deleted, we have obtained the sender, the recipient, the text and the right timestamp.

This procedure works only if we find junk into the database and its focus is on the timestamp discovery.

Author
Nanni Bassetti, Digital Forensics Expert, C.A.IN.E. Linux forensic distro project manager, founder of CFI – Computer Forensics Italy, mailing list specialized in digital forensics topics, codeveloper of SFDumper and founder of the web site http://scripts4cf.sf.net.
Personal website: http://www.nannibassetti.com – e-mail: digitfor@gmail.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 654 other followers

%d bloggers like this: