Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc.
However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the employees devices (workstation, mobile, etc.) is required to understand what happened and get comprehensive timeline of the events.">/private/var/mobile/Containers/Shared/AppGroup/
Another interesting background information we need to remember is the fade-out effect on iOS. Every time a user presses the Home button or receives a call while using an application, iOS will make a snapshots">WhatsApp
">iLab1:/private/var/mobile/Containers/Shared/AppGroup root# tree 332A098D-368C-4378-A503-91BF33284D4B
|-- Axolotl.sqlite
|-- ChatSearch.sqlite
|-- ChatStorage.sqlite
|-- Contacts.sqlite
">ChatStorage.sqlite, where it is saved the actual content of the messages exchanged. Among the tables of interest, one of the most important is ZWAMESSAGE, which contains, among others, the messages exchanged, their timestamp, the name of the user involved in the chat. Other tables worth to be analyzed are ZWACHATSESSION, ZWAGROUPMEMBER, ZWAGROUPINFO and ZWAMEDIAITEM, which stores references to the multimedia files exchanged, indication of the users involved, timestamps, and the path where the file has been stored.
As also recently mentioned by J. Zdziarski on his blog [1], an interesting feature of Whatsapp is that deleted chats are not actually deleted form the database. This because when a SQLite record is being deleted, for performance reasons it is not actually wiped/purged from the database immediately, but marked as free and eventually overwritten later on when that storage space is needed. Therefore by simply using a tool like SQLite-parser [2][3], you can quickly carve out deleted record from your Whatsapp chat database.
However, as matter of facts, you will find this feature in most applications using SQLite storage databases, since most of them do not handle properly this aspect.
Last but not least, the Snapshot feature">convesations_v29, which contains the list of active conversations as showed in the Chats">encrypted_cids_v29, which contains the conversation ids of the secret chats.
Other than the (expected) behavior already found in Whatsapp, which means that deleted records are not immediately purged out of the database and therefore can be recovered, Telegram messages from secret chats are stored in clear in the">
This was a brief overview of what you can find in case of investigating messaging applications in iOS environment. Nothing rocket science for sure, but still important things to remember during the analysis that are often overlooked.
ting
Pasquale
References:
[1] WhatsApp Forensic Artifacts: Chats Arent Being Deleted, http://www.zdziarski.com/blog/?p=6143
[2] Python Parser to Recover Deleted SQLite Database Data, http://az4n6.blogspot.ch/2013/11/python-parser-to-recover-deleted-sqlite.html
[3] SQLite-parser, https://github.com/mdegrazia/SQLite-Deleted-Records-Parser