WhatsApp – discovering timestamps of deleted messages

ABSTRACT:  This is a procedure for locating and parsing deleted messages timestamps in Android WhatsApp database.

I did a little reverse engineering, using the hexadecimal tool of Physical Analyzer (UFED by Cellebrite), of the database of the popular messaging app WhatsApp for Android, because P.A. 3.8.6 does not display deleted messages WhatsApp, at least on Android 4.1.2 on my Samsung S3.

The database type is SqlLite 3.0 and is located in :

\data\com.whatsapp\databases\msgstore.db

Before the acquisition by UFED Physical Touch of my Samsung S3 with Android 4.1.2, I proceeded to delete two (the first and the third) messages in a conversation from my WhatsApp.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

After the acquisition I obtained the file DumpData.bin, I open msgstore.db with the hex file viewer and I searched for the keywords of the deleted messages, getting a hex dump like this (the picture is not the editor PA):

Image

The message consists of the sender’s number, followed by a number, which represents the date without the correct time, this number is the Unix Epoch Time, that is the number of seconds since 00:00:00 on 01/01/1970, with a simple conversion with programs like DCode or http://www.epochconverter.com/, we can see that the number: 1385911713 converted in date format is 01 Dec 2013 at 15:28:33, then the time is not accurate.

We have to find the date and time (timestamp) for this message, so doing a little testing and comparing with the messages not deleted, we find that the first six (6) bytes after the end of the message text, representing the timestamp with the date and time correct.
Indeed we collect the following 6 bytes of the first message :
01 42 AE FF E8 20 and 01 42 AF 1F BA 5F, then we convert them into decimal with a calculator and then we convert the number in Milliseconds Unix Time, in fact here is the timestamps in milliseconds and not seconds, then we set DCode in UTC +1 (we are in Italy and in winter time UTC +1).

Image

Same procedure for the other message :

Image

We can conclude that after having removed the two messages deleted, we have obtained the sender, the recipient, the text and the right timestamp.

This procedure works only if we find junk into the database and its focus is on the timestamp discovery.

Author
Nanni Bassetti, Digital Forensics Expert, C.A.IN.E. Linux forensic distro project manager, founder of CFI – Computer Forensics Italy, mailing list specialized in digital forensics topics, codeveloper of SFDumper and founder of the web site http://scripts4cf.sf.net.
Personal website: http://www.nannibassetti.com – e-mail: digitfor@gmail.com

2 thoughts on “WhatsApp – discovering timestamps of deleted messages”

Leave a Comment

Latest Videos

Digital Forensics News Round Up, March 27 2024 #dfir #digitalforensics

Forensic Focus 27th March 2024 6:06 pm

Digital Forensics News Round-Up, March 21 2024 #digitalforensics #dfir

Forensic Focus 21st March 2024 6:15 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles