WhatsApp Forensics: Deleted Message Recovery on iOS vs. Android

When it comes to solving cases, deliberately hidden evidence is often what is needed to unravel the knot. In the digital age, these traces may be digital, too, making it trickier for forensic tools and investigators. With the growing number of mobile apps, there are more challenges in recovering this data, as data management varies across different operating systems. Successfully retrieving deleted data can reveal hidden details and provide crucial insights, significantly impacting the outcome of an investigation.

As we continue our WhatsApp forensics series, let’s explore how deletion and data storage functions in WhatsApp databases. Is it possible to retrieve deleted data from these databases? We will find out using Belkasoft X, a flagship tool for computer, mobile, drone, car, and cloud forensics.

SQLite and deleted records

Before we get to our forensic WhatsApp recovery experiment, it is best to have an understanding of SQLite, the lightweight database system used by many mobile applications, including WhatsApp.

Its popularity stems from its serverless architecture, making it an optimal choice for applications requiring a simple yet solid data storage solution. This extensive usage of SQLite in both built-in and third-party applications makes it a significant focus in digital forensic investigations.

In forensic data analysis, understanding SQLite’s unique features and structures is essential for accurately extracting and interpreting digital evidence. SQLite databases store information in a structured manner, often containing vital data such as chat logs, browser history, and user activity records. Features like freelists, Write-Ahead Logs (WAL), and unallocated space are crucial for investigators as they can reveal deleted or uncommitted data, which might otherwise be inaccessible through standard database queries.

Freelists in SQLite databases store recently deleted records, providing forensic experts with the opportunity to recover data that users might have attempted to erase. Similarly, WAL files maintain a log of changes to the database, preserving records of recent transactions that can be critical in understanding the sequence of events leading up to an incident. Unallocated space within SQLite databases can also contain remnants of previously stored data, offering additional insights during forensic analysis.

Now, let’s put this knowledge into context and see how SQLite’s features enable WhatsApp forensic analysis across different operating systems.

Forensic WhatsApp recovery on the iOS smartphone

There is a lot to unpack when it comes to SQLite forensics, but for now, we will keep things simple and do a side-by-side comparison of deleted WhatsApp data retrieval on Android and iOS. 

Picture a conversation between an iOS and an Android user where both of them deleted several messages. WhatsApp offers two deletion options: “for Everyone” (available for a limited time) and “for Me.” In this case, we deleted two messages “for Everyone” and the rest “for Me.” The following screenshot shows how these deletions appeared on our test iPhone.

To obtain a full file system copy of the iPhone, we used the checkm8-based acquisition method available in Belkasoft X. While it’s possible to retrieve WhatsApp data from an iTunes or iCloud backup, it is best to get the full file system copy with the help of mobile forensics software, as this generally offers a more comprehensive dataset. We also used Belkasoft X to analyze and examine the acquired image. When we found our test chat, we identified the following artifacts extracted from the database:

As you can see, the messages we recovered reflected the data available on the device during acquisition. No “for Me” deleted items were present, and empty bubbles indicated messages deleted “for Everyone.” To explore further, we used Belkasoft X’s robust SQLite viewer, which can recover various records, including freelists, WAL files, and unallocated space.

We examined the ChatStorage.sqlite database within the iPhone’s file system. WhatsApp databases can be found in ..\private\var\mobile\Containers\Shared\AppGroup, in the subfolder named after the GUID assigned to the application during installation. The ZWAMESSAGE table contains the message details.

Initially, sorting by the Record type column revealed no freelist or WAL records. In the Unallocated space, a few records appeared but lacked significant information. Sorting by the primary key to locate our chat messages revealed gaps in the Z_PK (primary key) values, indicating deleted records. The ZSORT column helped identify the chronological order of messages, aiding in spotting gaps in the user’s chats.

Given these findings, it is evident that iOS WhatsApp databases are not effective for recovering deleted messages. However, by examining the Z_PK and ZSORT columns in the ZWAMESSAGE table, you can still gain insights into the removal of records from conversations, which is better than nothing. Will Android databases prove any better?

Forensic analysis of WhatsApp on the Android smartphone

First, let’s see how the test conversation and deleted messages looked on the other end. 

We acquired the device using the “Android file system copy” method and analyzed it with Belkasoft X. After locating our test chat in the tool’s “Artifacts” window, we discovered that Belkasoft X was able to recover the majority of the deleted messages. How come?

While there are many nuances to obtaining and navigating Android WhatsApp data, we will look at the Android database WAL records to understand this particular case. Let’s see how this relates to our WhatsApp forensics and deleted messages.

Android devices store WhatsApp message data in the msgstore.db file located in ..\data\data\com.whatsapp\databases. The message table holds the user’s chat records. To find our test conversation, we need to sort the table by the _id column.

What do we have here? Some primary key values are duplicated, and one number is missing. The Record type column shows that many records originate from the WAL file, so let’s examine it.

The Write-Ahead Log (WAL) in SQLite handles database records by writing changes to a WAL file before merging them into the main database during a checkpoint. This ensures data integrity and allows reading the latest data from the WAL file. WAL files store changes between checkpoints, preserving deleted records and aiding forensic investigations by allowing recovery of modified and deleted data.

Reviewing the Android database WAL records, we can trace transactions during the WhatsApp conversation and message deletions. Belkasoft X’s SQLite Viewer shows WAL and main database records together, offering a comprehensive view of changes. It successfully retrieved these records because the WAL checkpoint had not occurred by the time of acquisition. Despite Android’s cooperative WAL mechanism, one message deleted “for Me” was completely removed. WhatsApp’s proprietary code makes it difficult to pinpoint WAL configuration on Android, but our tests show it’s more cooperative than on iOS.

Can digital forensics tools recover deleted WhatsApp messages?

Our investigation into deleted WhatsApp messages on iOS and Android revealed that it all comes down to the technical background of the problem and the mobile forensics tools in use.

iOS databases were less cooperative, showing no traces of deleted records, though we could infer deletions from missing primary key values. Android’s Write-Ahead Logging (WAL) mechanism and fewer checkpoints allowed us to recover most deleted messages using Belkasoft X. 

We are once again convinced that proper knowledge of database structures and  appropriate forensic tools can significantly enhance the accuracy and completeness of digital forensic investigations.