WhatsApp Forensics — Messages, Media, and the Encryption Challenge

WhatsApp is the world’s most-used messaging app, with over 2 billion users. It’s also one of the most common sources of digital evidence in investigations ranging from fraud to domestic violence.

Understanding how WhatsApp stores data — and how that data can be extracted — is critical for digital forensic practitioners. This guide covers the technical underpinnings of WhatsApp forensics across both Android and iOS platforms.

How WhatsApp Stores Data Locally

WhatsApp stores messages in a SQLite database. On Android, the primary database is msgstore.db, located at /data/data/com.whatsapp/databases/. On iOS, it’s ChatStorage.sqlite in the app’s container directory, typically at /var/mobile/Containers/Shared/AppGroup/[UUID]/ChatStorage.sqlite.

These databases contain:

• Message content (text, captions)
• Timestamps (send, receive, read receipt) — stored as Unix epoch in the timestamp column of the messages table
• Group membership and names — stored in group_participants table
• Contact information — wa_contacts table with JID (Jabber ID) format
• Message status flags (sent, delivered, read) — integer codes in the status column
• References to media files (stored separately in message_media table)

On Android, the key tables to examine are:

-- Core message data
SELECT key_remote_jid, data, timestamp, media_url, media_mime_type
FROM messages
WHERE key_remote_jid LIKE '%@s.whatsapp.net'
ORDER BY timestamp DESC;

-- Group chat metadata
SELECT gjid, subject, creation
FROM group_participants_history;

-- Call logs (WhatsApp v2.21+)
SELECT * FROM call_log;

Media files — photos, videos, voice messages, documents — are stored in a separate directory. On Android, unencrypted media is often accessible in /sdcard/WhatsApp/Media/ and can be extracted without full file system access. On iOS, media is stored within the app container at /Message/Media/ and is organized by chat JID.

WhatsApp Encryption: E2EE and At-Rest Encryption

WhatsApp uses the Signal Protocol for end-to-end encryption of messages in transit. This means WhatsApp’s servers cannot read message content — only the sender and receiver hold the session keys.

This also means WhatsApp cannot provide message content to law enforcement. When served with a legal request under 18 U.S.C. § 2703, WhatsApp can provide account metadata — registration date, IP addresses, last seen time, linked phone numbers — but not message content.

The local database encryption differs significantly between platforms:

Android: Since WhatsApp v2.12, the local msgstore.db is encrypted using AES-256-GCM. The encryption key is stored in /data/data/com.whatsapp/files/key and is tied to the device’s Android Keystore. Extracting this key requires root access or a full file system acquisition. Older WhatsApp versions (pre-2016) used a static encryption key derivable from the user’s phone number — these are trivially decryptable.

iOS: The database is protected by iOS Data Protection (class NSFileProtectionCompleteUntilFirstUserAuthentication). It is not separately encrypted by WhatsApp — iOS’s native encryption handles at-rest protection. This means the database is accessible whenever the device has been unlocked at least once since boot (AFU state).

Extracting WhatsApp Data

From an unlocked Android device: With root access or a file system extraction tool (Cellebrite UFED 7.x+, Magnet AXIOM 7.x, or MSAB XRY), the msgstore.db file and the encryption key can both be retrieved. Once the key is obtained, the database can be decrypted using open-source tools like whatsapp-viewer or wa-crypt-tools:

# Decrypt WhatsApp database (Android)
python3 decrypt14_15.py key msgstore.db.crypt15 msgstore.db

# Then open with any SQLite browser
sqlite3 msgstore.db "SELECT * FROM messages LIMIT 10;"

From an iOS device with file system access: Tools like Cellebrite UFED or Magnet AXIOM with full file system extraction capability can pull the WhatsApp database from iOS. The database is protected under iOS Data Protection — accessible when the device is in AFU (After First Unlock) state.

From an iTunes/iCloud backup: WhatsApp includes its message database in standard iOS backups. An iTunes backup with a known password, or an iCloud backup obtained via legal process, often contains the full WhatsApp message history at the time of the backup. The relevant backup domain is AppDomainGroup-group.net.whatsapp.WhatsApp.shared.

From Google Drive backup: WhatsApp on Android backs up to Google Drive weekly by default. Google Drive backups of WhatsApp were historically not protected by E2EE — they were encrypted with a key Google held. With legal process, Google could provide the WhatsApp backup. Since late 2021, users can optionally enable E2EE for cloud backups. If enabled, the backup is encrypted with a user-generated password or a 64-digit key, and neither Google nor WhatsApp can decrypt it.

Recovering Deleted WhatsApp Messages

When a message is deleted in WhatsApp (“Delete for Everyone” or standard deletion):

• The database row is removed from the active messages table
• The data may persist in SQLite’s “freelist” pages — unallocated database space that SQLite does not immediately overwrite
• Forensic tools like Cellebrite Physical Analyzer, AXIOM, and Oxygen Forensic Detective parse freelist pages and WAL (Write-Ahead Log) files to recover deleted message content

The WAL file (msgstore.db-wal) is particularly valuable. SQLite uses WAL mode for concurrent read/write operations, and the WAL file can contain recent transactions — including deletions — that haven’t been checkpointed to the main database yet.

Recovery success rates are higher on:

• Devices with large, infrequently written databases
• Devices that were seized soon after deletion
• Cases where the database hasn’t been compacted (VACUUM operation)
• Extractions that capture the WAL file alongside the main database

WhatsApp’s “Delete for Everyone” feature sends a protocol message to the recipient’s device instructing it to remove the message. However, if the recipient’s device has already written the message to disk and the freelist pages haven’t been reclaimed, the content may still be recoverable.

WhatsApp Web and Desktop Artifacts

WhatsApp Web and Desktop create additional evidence sources. The browser application stores IndexedDB data in the user’s browser profile. WhatsApp Desktop (Electron-based) creates a local database mirror of conversations.

On Windows, the WhatsApp Desktop database is located in %AppData%\WhatsApp\databases\. On macOS, it’s in ~/Library/Application Support/WhatsApp/IndexedDB/. These databases contain a synced copy of recent conversations and are extractable from a seized computer with standard forensic imaging.

Key artifacts to look for in desktop installations:

• IndexedDB — synced message content
• Cache — downloaded media files, profile photos
• Local Storage — session tokens, phone number linkage
• logs/ — application logs with connection timestamps

Case Example

In a civil fraud investigation, opposing counsel produced text messages but claimed certain WhatsApp conversations had been deleted months earlier. The examining attorney obtained a court order for a forensic examination of the party’s Android device.

The forensic examiner performed a Cellebrite Physical Analyzer extraction, obtaining a full file system image. The msgstore.db.crypt15 database was decrypted using the key file recovered from the device’s protected storage. Analysis of the decrypted database’s freelist pages recovered 347 deleted messages spanning a four-month window.

The recovered messages contradicted the producing party’s interrogatory responses regarding knowledge of certain financial transactions. The WAL file also contained deletion timestamps, establishing that the messages were deleted two days after the litigation hold was issued — supporting a subsequent spoliation motion.

The examiner’s report documented the chain of custody, the extraction method, hash verification of the database file (SHA-256), and the specific SQLite page addresses where deleted content was recovered. The report was admitted under FRE 702 without a Daubert challenge.

Practitioner Takeaways

• Always capture the WAL file (msgstore.db-wal) alongside the main database — it often contains the most recent deletions.
• On Android, check for unencrypted local backups in /sdcard/WhatsApp/Databases/ — these are often overlooked and may contain older message history.
• Document the WhatsApp version installed on the device, as schema changes between versions affect which tables and columns are available.
• Google Drive WhatsApp backups require a separate legal process directed at Google — they cannot be obtained from the device alone.
• For iOS devices, an encrypted iTunes backup with a known password often yields the complete WhatsApp database without requiring a full file system tool.
• Verify message timestamps against the device’s timezone settings — WhatsApp stores timestamps in UTC, and conversion errors are a common source of timeline disputes.

FAQ: WhatsApp Forensics

Q: Can WhatsApp be compelled to provide message content?
A: No. WhatsApp’s end-to-end encryption means they don’t have access to message content. They can provide account metadata: registration information, IP addresses used at registration and last connection, linked devices, and group membership. Message content requires device extraction or backup access.

Q: What’s the difference between “Delete for Me” and “Delete for Everyone”?
A: “Delete for Me” removes the message from your device’s active database but not the recipient’s. “Delete for Everyone” sends a protocol-level deletion request to all participants. Both operations leave potential artifacts in SQLite freelist pages on the deleting device. “Delete for Everyone” must be used within approximately 60 hours of sending.

Q: Can forensic tools read WhatsApp messages on a completely locked phone?
A: Generally no — the database encryption keys are protected by the device’s lock state. However, if the device is in AFU (After First Unlock) state — meaning it has been unlocked at least once since boot — some extraction methods can access the encrypted database. Additionally, cloud backups may contain message history accessible via separate legal process.

Q: How long do deleted WhatsApp messages remain recoverable?
A: There is no fixed timeframe. Deleted data persists in SQLite freelist pages until those pages are reused by new data writes. On a heavily used device, pages may be reclaimed within days. On a lightly used device, deleted messages have been recovered months after deletion. A VACUUM operation — which WhatsApp may trigger automatically — permanently destroys freelist data.

Q: Are WhatsApp voice and video calls logged in the forensic database?
A: Yes. Since approximately version 2.21, WhatsApp maintains a call_log table in the message database. This table records call type (voice/video), duration, timestamp, and participant JIDs. Call content is not recorded — only metadata.

Q: What’s the forensic difference between WhatsApp and WhatsApp Business?
A: WhatsApp Business uses a separate package name (com.whatsapp.w4b) and stores its database in a different application directory. The schema is largely identical, but Business accounts include additional tables for product catalogs, quick replies, and customer labels. Both apps can coexist on the same device with separate databases.

See also: Signal App Forensics | Telegram Forensics | Deleted Data Recovery