A client walks in with a business dispute involving WhatsApp messages. They have the phone. Great. Now comes the part nobody tells you about in the vendor brochures: WhatsApp’s architecture is fundamentally different on Android and iOS, the database structures don’t match, and the encryption story is complicated enough to trip up examiners who haven’t specifically dealt with it before.
Here’s a thorough breakdown of how WhatsApp stores data on both platforms, where the artifacts live, how to approach deleted message recovery, and what the encryption actually means for your examination.
Database Locations: Android
On Android, WhatsApp stores its primary message database at:
“
/data/data/com.whatsapp/databases/msgstore.db
This is an SQLite database. If you have root access to the device (either through physical extraction or an unlocked bootloader), you can pull this file directly. If you're working with a logical extraction via ADB, you may or may not be able to reach it — Android's scoped storage restrictions mean it depends on whether the device is rooted or whether you have a forensic-grade extraction capability.
There's also a media message reference database at:
`
/data/data/com.whatsapp/databases/wa.db
This stores contacts, group membership, and broadcast list information. It's separate from msgstore.db but cross-referenced.
Media files on Android are stored at:
`
/sdcard/WhatsApp/Media/
This breaks down into subdirectories by media type: WhatsApp Images, WhatsApp Video, WhatsApp Audio, WhatsApp Documents, and WhatsApp Voice Notes. Unlike the database, the media folder is in external storage and accessible even without root access in many cases.
WhatsApp also maintains a backup at:
`
/sdcard/WhatsApp/Databases/msgstore.db.crypt15
The number suffix (crypt12, crypt14, crypt15) corresponds to the encryption version. This encrypted backup file requires a device-specific key to decrypt. The key lives at:
`
/data/data/com.whatsapp/files/key
Without root access, you can't get the key. Without the key, you can't decrypt the crypt15 backup. This is a critical point — examiners sometimes find the backup file on external storage via logical extraction, but can't decrypt it because the key is sandboxed.
Database Locations: iOS
On iOS, the primary WhatsApp message database lives at:
`
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/ChatStorage.sqlite
The UUID here is a randomly generated identifier assigned to the WhatsApp app at installation. It changes with reinstallation. Your forensic tool will resolve this path automatically, but if you're browsing a raw file system extraction, you need to identify the correct UUID folder — look for the one containing a Documents folder with ChatStorage.sqlite.
Additional databases of interest:
`
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/Contacts.sqlite
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/ChatSearch.sqlite
The ChatSearch.sqlite contains a full-text search index of message content — useful for keyword searching across message history.
Media on iOS is stored in:
`
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/Media/
And also in the shared app group container, which on iOS is located at:
`
/private/var/mobile/Containers/Shared/AppGroup/[UUID]/WhatsApp.sqlite
The shared container stores data that's accessible across the WhatsApp main app and its extension processes. This is particularly important if you're trying to reconstruct recent notification-based activity.
Understanding the msgstore.db Schema (Android)
The msgstore.db schema has evolved across WhatsApp versions, but the core tables have been relatively stable. Key tables:
messages — The primary message table. Key columns:
- _id
: Unique message ID - key_remote_jid
: JID (Jabber ID) of the chat partner or group. Format: phone_number@s.whatsapp.net for individual chats, group_id@g.us for groups - key_from_me
: 0 = received, 1 = sent - timestamp
: Unix timestamp in milliseconds - data
: The message text (NULL for media messages) - status
: Message delivery/read status (0=received, 4=sent, 5=delivered, 13=read) - media_url
,media_mime_type,media_size: For media messages
jid — Maps JID values to phone numbers and display names. Cross-reference with the messages table to resolve who was in each conversation.
chat — One row per conversation thread. Contains unread counts and the last message ID for each conversation.
message_media — In more recent WhatsApp versions, some media metadata moved here from the messages table.
The timestamp format is standard Unix milliseconds. Convert to human-readable: timestamp / 1000 gives you Unix epoch seconds.
Understanding the ChatStorage.sqlite Schema (iOS)
iOS's ChatStorage.sqlite is a different schema from Android's msgstore.db. Same data, different structure.
Key tables:
ZWAMESSAGE — The primary message table. Key columns:
- Z_PK
: Primary key - ZCHATSESSION
: Foreign key to ZWACHATSESSION - ZISFROMME
: 0 = received, 1 = sent - ZMESSAGEDATE
: Timestamp in Core Data format (seconds since January 1, 2001) - ZTEXT
: Message text - ZMEDIAITEM
: Foreign key to ZWAMEDIAITEM for media messages
ZWACHATSESSION — One row per conversation. Contains the contact JID and display name.
ZWAMEDIAITEM — Media message metadata including file path (relative to the Media directory), MIME type, file size, and media creation date.
ZWAPROFILEPUSHNAME — Push names (display names) for contacts.
Converting Core Data timestamps: The iOS timestamp format uses seconds since January 1, 2001, not the Unix epoch (January 1, 1970). The offset is 978307200 seconds. To convert: ZMESSAGEDATE + 978307200 gives you Unix epoch seconds. Most forensic tools handle this automatically, but if you're writing custom SQL queries, you need to account for it.
Media Storage Paths and File Recovery
WhatsApp media files are not embedded in the databases — the databases store metadata and file paths, while the actual files are on disk.
On Android, media is stored in the external storage WhatsApp/Media directory. These files survive many logical extractions even when the message databases are inaccessible.
On iOS, media files in /Documents/Media/ are accessible in full file system extraction and sometimes in advanced logical extractions (since they're in the app container). Thumbnails are stored separately and can provide evidence of media that's been deleted from the main storage.
Important: WhatsApp downloads media automatically by default. Even if a user deletes a message, the media file on disk may persist after the database record is removed. Examining the media directory for files with no corresponding database entry can surface recovered evidence.
File naming in WhatsApp media follows predictable patterns. Images are often named IMG-[YYYYMMDD]-WA[NNNN].jpg. Videos follow VID-[YYYYMMDD]-WA[NNNN].mp4. These filenames encode creation date, which you can use for timeline correlation independent of the database.
Deleted Message Recovery
Deleted WhatsApp messages may be recoverable through several mechanisms:
SQLite free pages. When a record is deleted from an SQLite database, the space is marked as free but not immediately overwritten. If you acquire the raw database file (rather than a logical export), you can carve the free pages for deleted record remnants. This is not guaranteed — high database activity and the WAL (Write-Ahead Log) mechanism can reduce recovery rates.
WAL file. SQLite databases using WAL mode maintain a separate -wal file (msgstore.db-wal on Android, ChatStorage.sqlite-wal on iOS). The WAL file can contain recent transaction data including records that were added and then deleted between checkpoints.
WhatsApp's local backup. On Android, WhatsApp automatically creates local daily backups (the crypt15 files). If you can get the decryption key, these backups may contain messages that were later deleted from the main database.
Google Drive / iCloud backups. WhatsApp backs up to Google Drive (Android) or iCloud (iOS) if the user has enabled it. These are cloud-side evidence requiring separate legal process, but they may contain full message history from before deletion. See iCloud vs. on-device evidence strategy for more on pursuing cloud-side evidence.
iOS encrypted iTunes backup. An encrypted iTunes backup captures WhatsApp's ChatStorage.sqlite from the app container. If the backup predates message deletion, you have a point-in-time copy of the database. See encrypted iTunes backups for civil examiners.
Encryption Considerations
WhatsApp uses end-to-end encryption for all messages in transit. This is irrelevant to device forensics — by the time a message reaches the device and is stored in the database, it's decrypted. The on-device databases are not end-to-end encrypted; they're protected by the device's standard file system encryption (iOS Data Protection or Android FDE/FBE).
The encryption that is relevant to examiners is the crypt15 backup format on Android. WhatsApp encrypts its local backups with a device-specific key. The encryption is AES-256-GCM. Without the key file, the crypt15 backup is inaccessible.
Cellebrite UFED and Magnet AXIOM both handle WhatsApp crypt15 decryption when they have root access to the device, because they can retrieve the key during extraction.
If you only have the crypt15 file and not the key, you're stuck. There's no publicly documented method to break WhatsApp's crypt15 encryption.
Cross-Platform Inconsistencies to Watch For
When you're examining both parties' devices in a civil dispute (say, two business partners with competing claims about what was agreed in WhatsApp messages), be aware that the conversation will look different in each database.
Timestamps. Android stores timestamps in Unix milliseconds, iOS stores in Core Data format. Your forensic tool should normalize these, but verify.
Message IDs. The _id` values in Android’s msgstore.db are locally generated and don’t match any ID in the iOS partner’s database. There’s no universal message identifier across WhatsApp clients. You correlate messages by timestamp + content, not by any shared ID.
Delivery status. Each side of a conversation records delivery status from their own perspective. A message that shows as “delivered” on the sender’s device may show as “received” on the recipient’s. Don’t conflate these.
Edited and deleted indicators. WhatsApp added message editing. Edited messages may show differently on Android vs. iOS depending on the version and timing of the edit.
FAQ
Q: Can I recover WhatsApp messages if I only have access to the Google Drive backup?
To access a WhatsApp Google Drive backup, you need legal process directed at Google (a subpoena in civil cases). Google maintains these backups for WhatsApp users who have the feature enabled. The backup is encrypted and Google holds keys for these backups in certain configurations. The practical path: legal process to Google, combined with cooperation from the account holder to authorize disclosure, or a court order compelling production.
Q: If the user deleted a WhatsApp conversation (not just a message), is the whole thing gone?
When a conversation is deleted, WhatsApp removes the chat session record and associated message records. The SQLite database marks those pages as free. Depending on database activity since deletion, you may recover partial or full conversation records from free pages. The longer the time since deletion and the more active the database use since then, the less likely full recovery becomes. Media files from the conversation may still exist on disk independently.
Q: Do both Android and iOS WhatsApp databases record who deleted a message and when?
WhatsApp records that a message was deleted (“This message was deleted”) in the database, but the original message content is overwritten. The database stores a reference indicating message deletion, the timestamp of deletion, and a flag indicating self-deletion vs. deletion by the other party. The original message text is replaced. In some versions and some recovery scenarios, the original text may be in SQLite free pages.
Q: Will Cellebrite show me WhatsApp messages that the phone’s own WhatsApp app doesn’t show?
Potentially, yes. Cellebrite and AXIOM parse the raw SQLite databases, including free pages. The WhatsApp app only displays current, non-deleted records. A forensic tool examining the same database can surface deleted records, WAL file remnants, and other artifacts the app doesn’t display. This is one of the core values of device-level forensic examination versus asking someone to screenshot their messages.
Q: What if WhatsApp is installed but the user logged out and re-registered?
Re-registration creates a new key pair for end-to-end encryption and can affect local data depending on whether the user chose to restore from backup on re-registration. In some cases, the previous database is preserved in the app’s data directory under a different filename. A thorough examination should look for database remnants even if the current msgstore.db or ChatStorage.sqlite doesn’t contain the relevant conversation.
