search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
979 stars 220 forks source link

[WhatsApp Parser] - Scrambled Messages #1739

Open thalespr opened 1 year ago

thalespr commented 1 year ago

It looks like WhatsApp uses the FTS (Full Text Search) feature of SQLite and some tools can decode it and create chats with data from it. However, the words are saved out of order and it can make end users confused. It would be nice to put a flag to indicate when a message is scrambled.

lfcnassif commented 1 year ago

We don't support decoding FTS indexes from SQLite databases. Do you mean adding a flag/notice when it is decoded from UFDR reports, right?

thalespr commented 1 year ago

We don't support decoding FTS from SQLite databases. Do you mean adding a flag/notice when it is decoded from UFDR reports, right?

Exactly.

wladimirleite commented 1 year ago

Another user here is working in a case in which the most important WhatsApp messages were deleted but they remained as scrambled data. They are already included in "report.xml" (inside the UFDR), so I believe it would be possible to handle these entries and build a chat-like preview (as Cellebrite tools do), although words in each message are usually scrambled (not in the same order as the original message). It seems that originally these scrambled messages are stored in another SQLite, as IPED shows the messages in its standard SQLite parser, but I guess handling the "report.xml" entries would be easier.