Book Image

Learning Android Forensics

By : Rohit Tamma, Donnie Tindall
Book Image

Learning Android Forensics

By: Rohit Tamma, Donnie Tindall

Overview of this book

Table of Contents (15 chapters)
Learning Android Forensics
About the Authors
About the Reviewers

WhatsApp analysis

WhatsApp is a popular chat-/video-messaging service with over 500,000,000 downloads in Google Play.

Package name: com.whatsapp

Version: 2.11.498

Files of interest:

  • /files/

    • Avatars/

    • me

    • me.jpeg

  • /shared_prefs/

    • RegisterPhone.xml

    • VerifySMS.xml

  • /databases/

    • msgstore.db

    • wa.db

  • /sdcard/WhatsApp/

    • Media/

    • Databases/

The /files/avatars directory contains thumbnails of the profile pictures of contacts that use the app, and me.jpg is a full-size version of the user's profile picture. The me file contains the phone number associated with the account

The phone number associated with the account can also be recovered in /shared_prefs/RegisterPhone.xml. The /shared_prefs/VerifySMS.xml file shows the time that the account was verified (in the Linux epoch format, of course), indicating when the user first began using the app.

The msgstore.db database, like it sounds, contains messaging data:




The key_remote_jid column shows each account the user has communicated...