Support WhatsApp "view once" messages

[wladimirleite]

Currently these messages are shown as "unknown message", so any associated text and thumbnail are not extracted by IPED's internal parser.

[gfd2020]

Is it possible to recover the photo that is sent with this type of message or is it permanently deleted?

[wladimirleite]

Is it possible to recover the photo that is sent with this type of message or is it permanently deleted?

The thumbnail is kept (and included in the report if it is present), although it is not shown in the application itself.

The original files (as other images/videos) are not stored in the database. I will take a closer look, to see if it is possible to find them.

[wladimirleite]

Just tested here, if the file itself is still present "somewhere" or could be carved, it will be found by hash and included in the chat output, as it is done for other images/videos. For "view once" sent files, this can happen more often, as the user can send photos stored in the device using this feature. For received images/videos, in the test I made, I could not find the files in the device. I believe WA do not store it (just downloads and presents the file once, when requested). To be honest, I didn't expect the thumbnails to be present.

[wladimirleite]

I found out that there are also view once voice (audio) messages (type 53 in iOS DBs).

[lfcnassif]

Just giving a feedback from an user related to this great feature:

Searching for single view messages here showed me dozens of corruption requests.
I saw one, then I saw that in single messages IPED puts "VIEW_ONCE_IMAGE_MESSAGE".
I shared this in analysis groups, apparently no one knew yet... I saw one of these messages,
so I went to see if it had any metadata to search globally.
Then the tool found dozens of other bribe requests that the employee asked for.

Thank you @wladimirleite for implementing this support!