Some deleted chats or messages not being tagged as deleted

[hauck-jvsh]

Our coligue here, João Paulo, found a case with several deleted messages. These messages are recovered and marked as delete on the Physical Analyzer, but on IPED they are shown without the deleted mark. This occurs in version 4.1.1 with an IOS device. He is processing again using version 4.1.4 to see if it is happening in the last version.

[lfcnassif]

Has he used the internal or external parser? If the internal one, maybe those messages exist and are not deleted. IPED is able to recover deleted WA messages from iOS, but it discards corrupted or duplicated messages. PA recovers many duplicated messages and doesn't discard them...

If he used the external parser, maybe some regression was introduced recently (bug) or maybe the report.xml schema in the UFDR has changed recently (not a bug but lack of support for recent UFDR versions).

[hauck-jvsh]

He was using the internal parser, I think that the messages are really deleted, but I will confirm later, because he goes to that chat after seeing a message in the log saying that the group is deleted. In physical analyzer it appears as two chats one delete with the messages and another one not deleted but without any messages.

[lfcnassif]

Cool! So the tool could have recovered a deleted group, that is great. Of course we should tag it as such, if it really is.

[lfcnassif]

he goes to that chat after seeing a message in the log saying that the group is deleted

IPED log, Whatsapp log or PA log?

[hauck-jvsh]

WhatsApp log, I'm in the Interforensics event this week, because of that I will look at this only in the next week.

[lfcnassif]

Don't worry, take your time and enjoy the conference!

[hauck-jvsh]

I was looking at this today, and it seems like that there is a flag in the chat database ZREMOVED that is 1 when the chat is deleted. The chat is not really deleted, I don't know if it is marked and deleted later, or if it will remain marked forever.

[lfcnassif]

Thanks for looking into this! If user can't see the chat in the phone screen, I think we can flag it as deleted.

[hauck-jvsh]

https://reunir.unir.net/bitstream/handle/123456789/2832/Memoria_TFM.pdf This document has some information about forensics in IOS devices. It says that zremoved is from when a chat is delete and maybe there is another interesting information, the zwachatsession.zhidden. this shows if the chat is hidden or not.

[lfcnassif]

Thanks @hauck-jvsh! I just wondered if the Android parser code is reading a similar column to ZREMOVED... Could you check?

[hauck-jvsh]

Maybe there is something similar, I can take a look at this.

[hauck-jvsh]

I found the hidden flag and a archived flag, but I'm not sure what the archived flag means. One thing that I notice, there is a table deleted_chat_job, but I don't know what it means.

[lfcnassif]

If you tap and hold your finger on a conversation in the conversation list, WhatsApp will show some options on the top, one of them is to archive the chat. On my turn, I didn't know about hidden chats, just found the option to enable it in the contact screen.