What's App is a popular communications application for cell phones. It started out mainly as a chatting/messaging app but now you can make phone calls, send media, create communities, etc. It is free to use and runs over the data channel.

Meta owns the app and advertises it as having end-to-end encryption. That means that your voice, text and media are encrypted before it gets sent over the air and doesn't get decrypted until it reaches its final destination or the phone receiving the communication.

One may think that this provides the user with a high degree of privacy and security. If we look into the cell phone forensics of WhatsApp we find the problem is that the WhatsApp data is stored in the phone in unencrypted or open text. If we perform an extraction on the phone, we can obtain a folder called com.whatsapp. This folder contains files and databases associated with the WhatsApp app. Below is a list of the databases I extracted from my Android phone.

My phone is a rooted Google Pixel running the latest version Android 15 at the time of this writing. If we open the msgstore.db file with DB Browser then we will see it contains quite a few tables of data. The image below is a snapshot of the message table showing several records along with actual WhatsApp chat messages I sent and received.

As you can see the body of the text message is stored in open, readable format. The time field is in Unix time and can be converted to Date/Time format. I sent a few different types of messages. The message type '0' was a simple text message. For message type '1' I sent a photo and for message type '3' I sent a video. The message with type '2' is a voice message I sent. The last two messages I used Meta AI, with the first one sent and the next one received.

The media for these messages are actually stored in the sdcard folder. More specifically in the /sdcard/Android/media/com.whatsapp/WhatsApp/Media folder. Access to this folder does not require a rooted phone. One can simply connect a cable to your PC and copy the files using Windows Explorer. You would need the right USB drivers or you can use a program like Dr. Fone from Wondershare or any phone file transfer software. The location for this media may be different for other Android versions but I am running the latest version.

In a future blog I am going to explore WhatsApp location and auto-message deletion. The msgstore.db database has placeholder fields for latitude longitude location information but I wasn't seeing any data there even though I had location enabled. I also want to see if the message auto-deletion works in regard to the messages stored on the phone or if this is just deleted from the WhatsApp cloud server.