sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
962 stars 219 forks source link

Add a notice about WhatsApp edited messages #1725

Closed lfcnassif closed 8 months ago

lfcnassif commented 1 year ago

Seems this WhatsApp feature was released last month...

wladimirleite commented 1 year ago

Seems this WhatsApp feature was released last month...

We discussed about this here last week.

It has to be checked, but thinking about how they implemented this, it is possible that the original record (in the SQLite) is updated when a message is edited, or another record is created referencing the original one...

So depending on how it was implemented, we may have more information about the edition, like when it was edited and maybe the original message.

wladimirleite commented 1 year ago

As recently I worked on a few issues related to WhatsApp parser, I may take a look into this, unless someone else wants to.

lfcnassif commented 1 year ago

Thank you @tc-wleite! At least from my side, I don't plan to work on this in the near future edited: because I already planned to work on other things.

wladimirleite commented 1 year ago

I have a couple of Android databases with edited messages and already found out how they are stored. I still need to find iOS samples. It seems the WA message edit feature is not that popular (like emojis reaction, for example).

Anyway, I will wait until another PR related to the WhatsApp parser (#1920) is merged before doing any code changes, to avoid possible future merging conflicts.

lfcnassif commented 1 year ago

Anyway, I will wait until another PR related to the WhatsApp parser (#1920) is merged before doing any code changes, to avoid possible future merging conflicts.

I started reading your message and immediately thought about suggesting this :-)

wladimirleite commented 9 months ago

The only information available is that the message was edited, and when. So I am adding something like "Edited on 2024-01-06 18:14:00 -03:00". The message record is updated when edited, so the original content does not remain stored anywhere else.