Old WhatsApp databases from 2015 app version with parsing error

[danpos]

I have made two tests:

1. UFDR file generated of a 'collection' with Advanced logical and apk downgrade (both parsed in Cellebrite Physical Analyzer 7.39) that was ingested in IPED resulting in no one WhatsApp chats;
2. UFDR file generated a Physical Extraction (Cellebrite Physical Analyzer 7.39) ingested in IPED, resulting in no one WhatsApp chats. All data sources are related to Motorola Moto G XT1069 device, and the difference between 1 and 2 is the last presented more chats artifacts. The WhatsApp chats are present in both UFDR files, of course.

[lfcnassif]

Did you include "Databases" in your UFDR report? By default, IPED needs the original Whatsapp databases to parse the chats.

Another option is to change the "phoneParsersToUse" option from "internal" to "external" in conf/ParsingTaskConfig.txt file in the used profile. With that, IPED will use the results parsed by Cellebrite software, instead using its internal parser to decode the chats.

Be aware the resuts between "internal" and "external" parsers are different. The first does a much better job to link attachments (sha-256 hash needs to be enabled for that), including renamed, moved or carved ones. The last recovers deleted messages and chats from Android DBs, internal parser is able to recover deleted chats or messages just from the iOS WA DBs for now.

If you included "Databases" in UFDR report for sure, please attach the full processing log.

[lfcnassif]

Could you provide the asked info?

[danpos]

I will, but first, I will do a new test to confirm it.

[lfcnassif]

Ok, please check if the correct msgstore.db file is inside the ufdr.

[danpos]

I did (2) and confirmed that all data were to the UFDR package, and after the file creation, I confirmed that msgstore.db was present inside it.

Another register is that there are differences if UFDR is generated following (1) or (2): in (1) IPED returns more chats parsed than (2).

IPED-2020-11-07-12-01-41_3rd-run.log IPED-2020-11-03-17-47-06_1st-run.log

[lfcnassif]

Seems whatsapp database schema changed:

WAExtractorException: org.sqlite.SQLiteException: [SQLITE_ERROR] SQL error or missing database (no such column: edit_version)

If you could send the db privately, I can take a look next week. @fmpfeifer if you have time and can take a look at this, let me know.

PS: Previously Iped did not extract any chats and in last run it extracted some? Was something changed?

[danpos]

I did a new test changing the profile in conf/AdvancedConfig.txt as you have suggested, and I got success in getting all chats artifacts, just for your information.

[danpos]

Seems whatsapp database schema changed:

WAExtractorException: org.sqlite.SQLiteException: [SQLITE_ERROR] SQL error or missing database (no such column: edit_version)

If you could send the db privately, I can take a look next week. @fmpfeifer if you have time and can take a look at this, let me know.

PS: Previously Iped did not extract any chats and in last run it extracted some? Was something changed?

Ok, I will send the file to you. Regarding the question, the differences between runs were the amount of chats artifacts parsed in the result.

[lfcnassif]

Thank you @danpos I was able to fix the issue with the samples you sent to me. It is related to an old 2015 database schema without edit_version column in messages table.

[lfcnassif]

If possible, please test the snapshot on https://github.com/sepinf-inc/IPED/actions/runs/354908268