search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
940 stars 218 forks source link

Whatsapp Parser - Android New - 'raw_string_jid' like @lid #2270

Open gfd2020 opened 1 month ago

gfd2020 commented 1 month ago

New Android databases are full of chats ending with @lid. These are shown as empty conversations when processing through iped.

Perhaps these @lids could be ignored so as not to pollute the listing of chats.

It appears that these @lids are unique (hidden) user identifiers.

Source: https://github.com/pedroslopez/whatsapp-web.js/issues/2330

PS: This case I'm looking at has around 2,300 chats processed at IPED, 674 are @lid.

lfcnassif commented 1 month ago

Hi @gfd2020, into how many cases have you observed this? Anyone else noticed this and can confirm those chats are always empty?

gfd2020 commented 1 month ago

Hi @gfd2020, into how many cases have you observed this? Anyone else noticed this and can confirm those chats are always empty?

Hi @lfcnassif . Goog point. I just tested a very recent case. It must have a well-updated database. I'll try to catch more cases to confirm for sure.

PS: IPED is ignoring @broadcast, but I did a test to not ignore it and a chat is created with several photo posts, for example. I imagine it's the status changes posted..

lfcnassif commented 1 month ago

PS: IPED is ignoring @broadcast, but I did a test to not ignore it and a chat is created with several photo posts, for example. I imagine it's the status changes posted..

Yes, there is an open ticket to handle status changes: https://github.com/sepinf-inc/IPED/issues/616

I think they should be displayed in a different way, not as a chat, like Cellebrite software does. And, not sure, but as far as I remember, those profile picture changes appear like they were received photos, right? When actually they were broadcasted from the owner to all other contacts.

gfd2020 commented 1 month ago

I think they should be displayed in a different way, not as a chat, like Cellebrite software does. And, not sure, but as far as I remember, those profile picture changes appear like they were received photos, right? When actually they were broadcasted from the owner to all other contacts.

Yes. Sometimes it appears as received and other times as sent... Anyway, I think it really needs some special treatment

gfd2020 commented 1 month ago

Hi @lfcnassif .

I tested 8 new chats. Some may come empty but many come with system messages below. Maybe it's better to leave it as is:

Messages and calls are end-to-end encrypted. No one outside of this chat, not even WhatsApp, can read or listen to them. Tap to learn more.

000000000000000 (000000000000000@lid) changed to 55XX99999999.

You blocked this contact. Tap to unblock.

You unblocked this contact.