*This article is a summary of all possible location of WhatsApp app on mobile and desktop and the recommendations on acquisition and analysis. *
⚠️ WhatsApp doesn’t store communication history on the servers, only on the client device. Users can schedule chat history backup or turn it off completely. Conversations are also saved when the iDevice is synced via iTunes.
iOS
⏱️ Timestamps: Apple Core Foundation Absolute Time, also known as Apple Cocoa Core Data Time (number of seconds since 📅 01/01/2001 ⏰ 00:00:00 UTC).
📂 iCloud and iTunes backups (can be encrypted) 📂 ???? iOS FS (unencrypted)
🏺 ChatStorage.sqlite. Contains text communication data.
- ZWACHATSESSION table for conversations.
ZSESSIONTYPE:0for private messages,1for group chat,2for broadcast,3for status change.ZCONTACTJID,ZPARTNERNAME,ZMESSAGECOUNTER,ZUNREADCOUNT,ZLASTMESSAGEDATE(timestamp of the last message),ZLASTMESSAGE. - ZWAMESSAGE (items in
ZMEDIAITEMcolumn provides the foreign key to theZWAMEDIAITEMtable; exclamation ❗️ZTEXTincludes the text of the message, and it is empty if the text was deleted, or the message only included an attachment). - ZWAMEDIAITEM table. ⚠️
ZLATITUDEandZLONGITUDEinclude the coordinates of the location pin, while for images and videos, they show the width and height values 🏺CallHistory.sqlite. Contains call communication data. 🏺ContactsV2.sqlite. Contains WhatsApp contacts.
A user can delete a message within 2 days after sending it. In such an event, the message box is not deleted in the UI, only its contents + it’s marked with “You deleted this message”. When messages are deleted “only for me”, they will likely not be recoverable from the device unless they were backed up. However, when a message is delete for everyone, its metadata might still be present on the device. Also, if there was no internet connection for at least one of the participants, you may be able to recover the message.