Mobile Device Data In a Big Data World

Today’s world is becoming more and more mobile every day. In fact, 91% of all people own a mobile device and 56% own some type of smart device. It is no surprise that today there are more mobile devices on the earth than there are people! Equally impressive is that the amount of data we consume is becoming increasingly focused on mobile devices. In fact, according to Pew Research, 55% of all internet traffic in the United States is from a mobile device, which is a first for overall internet traffic.   Mobile data is not just a part of the Big Data world; it is one of the largest contributors. Mobile device data, particularly smart devices, will contribute to approximately 8 zettabytes of data by 2015. To put a zettabyte in perspective, think of 250 billion DVDs containing around 36 million years of HD video. The total data would equal approximately 1 zettabyte. With these statistics in mind, it would make sense that every digital investigation scenario will contain data from mobile devices. With that being said, collecting and analyzing mobile data is not only vital, but paramount to solving today’s crimes. Mobile device data, combined with data from other big data repositories, like hard drives, network shares, and offline servers paints a much better picture than relying on a single source. So, what types of mobile device data are most important to investigations? The answer to that is quite simple, everything! From the standard SMS, MMS, Contacts, and Call Logs to the meaty data involving the posting, sharing, commenting, chatting, bashing, liking, favoriting, tweeting, and browsing in social media to the locating, logging and storing files in applications. Factor in that all this data is stored on the device, and not on a network server, with your mobile provider, or your company. Now, multiply the fact that most of today’s communication occurs outside of the normal SMS/MMS via messaging applications, and you realize a mobile forensic solution that can effectively uncover this important data is now a necessity. A perfect example of this happened recently when I spoke to a group of over 200 forensic examiners. I simply asked them to raise their hands if they had examined a mobile device for an investigation. Immediately hands shot up from over 80% of the attendees. I asked them to continue to leave their hands up if during the last examination of a mobile device they looked at any application data from third party applications on the smart device. Only 5 hands remained up. That is less than 3% of the attendees, which is typical, if not a little high, for the normal educational seminar I conducted. Mobile device hardware, operating systems and applications are advancing at a pace never seen before. Should not our investigative tools and priorities advance as well? The ability to search and recover mobile data from applications on smart devices is difficult and often limited when using current mobile solutions. Research shows that only 5 to 10% of the entire user data area is examined by typical mobile forensics tools. This leaves 95% of application data unanalyzed, and a lot of times uncollected. The net result shows that most examiners have minimal insight into the mobile application data because of the lack of support of their current tool, the lack of time and the lack of training. Current software tools simply extract contacts, SMS/MMS, call logs, media and possibly email. Some go as far as capturing URL, browser data, Wi-Fi information, and some application data. As for analyzing applications, most solutions allow the parsing of only select applications, limiting examiners to obtain evidence from about .002% of all applications available. In other words, the average forensic tool supports about 30 applications out of a total of 1.6 million iOS and Android apps. Of those 30 applications, the forensic solution is at the mercy of the developers’ upgrades, schema changes and table changes. With these ongoing mobile device application updates, the application is no longer supported by the forensic tool and further technical development is needed. AccessData’s Mobile Phone ExaminerPlus™(MPE+)breaks this mold allowing the parsing, extracting and reporting of any and all mobile applications. MPE+’s SQLBuilder™ (Figure 1) allows examiner to parse the data of all applications containing a SQLite database. If the data is held in a JSON string, MPE+ allows you to customize scripts by utilizing the pythonScripter™ (Figure 2), a feature that helps you build python scripts easily and without any scripting experience. If the application’s files are new and unknown, examiners can build their own script to extract and analyze the application data. In today’s big data world, customizable user features are very important as they give power to the user to mold the analysis to the task, without allowing the software to dictate how and what they are to extract and analyze. Figure 1 – MPE+ SQLBuilder   Figure 2 – MPE+ pythonScripter   Understanding that we live in a big data world and realizing the fact that mobile forensic examinations now contain data in many different forms and formats will ultimately lead to investigative success. Data can arrive in physical image files, flat binary files, individual files or folders, and proprietary forensic tool formats. With this in mind, AccessData’s MPE+ allows the import of these many different images. MPE+ automatically recognizes the various formats, i.e. iOS and Android file systems, and quickly allows the critical user data to be extracted. Not only does MPE+ automatically parse the standard user profiles, but also allows for a deep analysis of the application data contained in the mobile device filesystem. Understanding that mobile device data is just a piece of the big data pie, any image can be included into the overall digital case while utilizing AccessData’s MPE+. This digital case can then be opened in AccessData’s Forensic Toolkit® (FTK®)if additional digital data images like computer hard drives, server data, RAM fragments, flash drive and any other digital data source. This allows the power of all the AccessData tools to work together to harvest the relationships and paint the collective picture of ALL the relevant data within a case. In today’s big data world being prepared for the collection and analysis of mobile device data is the first step to gaining a clearer picture of today’s data.In today’s Big Data world, AccessData’s MPE+ not only helps you obtain data other solutions miss, it also empowers your investigation with “industry first” advanced analysis capabilities no other mobile forensic tool offers.

Posted in Information | Tagged , , , , , , | Leave a comment

An Interview with Robert Dare on EDiscovery and ADUC

Today’s podcast was with Robert Dare a forensic examiner working in the corporate environment.  We talk about his views on mobile devices in the ediscovery world, his usage of AccessData’s Mobile Phone Examiner Plus (MPE+) and the Access Data Users Conference.

Posted in Podcasts | Tagged , , , , , , , , | Leave a comment

Interview with Terry Sneary

In today’s interview we are speaking with Terry Sneary one of America’s finest from Ohio. Terry works in digital forensics and speaks to us about real cases, real work and real actions using AccessData’s Mobile Phone Examiner Plus (MPE+).

Posted in Podcasts | Leave a comment

Interview with Bruce Downey

Bruce Downey had been doing forensics for many years in Ontario Canada and is seeing more mobile devices than computers now.   Listen to Bruce as we speak about a few cases he has seen, how he solved them and also the types of devices he is running into on a daily basis.

Posted in Podcasts | Leave a comment

The Forensic Snake: Using Python to Squeeze the Mobile Device

When I started my pilgrimage into mobile forensics, I did so with the goal of providing the law enforcement community with the tools and training that would assist investigators in extracting relevant data from cell phones. Back then, mobile forensics was limited to obtaining contact lists, SMS messages, and sometimes call logs. This information helped solve many cases. It also solidified the fact that data living on mobile devices was a potential source of evidence waiting to be discovered.

As my own mobile forensics training progressed, so did the technology of mobile devices. In a relatively short period of time, cell phones and mobile devices were no longer used only to send text messages and make phone calls. Mobile devices were now used to send and receive emails; send and receive MMS message with file attachments; take photos and videos using the device’s camera; store images, videos, and other media; browse the Internet; and communicate with others using an ever increasing number of software applications or apps. With these enhanced capabilities came the possibility of obtaining additional evidence such as EXIF data from images stored on a device, internet browser history, Wi-Fi locations used to access the Internet, stored passwords, and more.

A bottleneck in the forensic community was inevitable as we struggled with too many devices, too many data types, and too few options in the collection of mobile device data. The technology of mobile devices was progressing more rapidly than advancements in the development of mobile forensics tools. As a result, I was forced to rely on manually parsing the data.  I focused my training on extracting, manually locating and converting the data into a readable format, and making it presentable in court. This is where scripting for me started. I wanted to automate the repetitive task of manually parsing data.

Fast forward to today.  Mobile forensic tools are still inept in properly parsing and displaying all the data that might be available on a mobile device. This is not the fault of the mobile forensic tool, but the fault of a rapidly changing mobile device environment. Since software is written by a developer in real time, developers are already behind before they even start coding a single line. This is a fact that no software company would deny. I have always believed that “in order to be prepared for tomorrow you have to think about tomorrow today.” Today is no different. This is the reason why MPE+ has evolved to allow the examiner to adapt to today’s problems in real time. MPE+ provides tools that can be customized to adapt to changes and address challenges faced by the examiner at any time. Investigators do not have to wait for a software upgrade, but can utilize MPE+’s tools already at their disposal.

With this in mind, MPE+ includes the pythonScripter. PythonScripter was developed to give the examiner a way to support data extraction, parsing and reporting of mobile device data without waiting for the software developer to create the code.  The MPE+ pythonScripter allows the examiner to create, import or use preconfigured python scripts against any data imported into the MPE+ interface. This allows MPE+ to support an unlimited amount of devices, unlimited data types for carving, unlimited extraction support of image location data, unlimited extraction support of meta data and more.  With pythonScripter, MPE+ can even support the parsing, conversion and reporting of data from a phone born today.
As an example, we can say MPE+ does not directly support GPS devices. However, utilizing a physical image of a GPS device obtained with MPE+, we can use the file system view to navigate the folder containing the GPX data.  Once the folder of interest is located, we can right click on the folder selected from the predefined selections and parse the GPX data. (Figure 1)

Run pythonScripter

pythonScripter Selection

Figure 1

Using the pythonScripter dialog we can select a predefined python script, or build one  to parse and display the critical data from the GPX file. (Figure 2)

pythonScripter Dialog

pythonScripter Dialog

Figure 2

Both waypoints (Figure 3) and track points (Figure 2) can be parsed. Therefore, artifacts like time, elevation, latitude, longitude and even waypoint name can be extracted.

Lat Long of gpx

Latitude and Longitude Output

Figure 3


The data can now be overlaid onto a map to visualize the waypoints, route or track. (Figure 4)


GPS Mapping

GPS Mapping of route

Figure 4


As we know, the location information can benefit any examination.  The location information is used not only in GPS devices, but applications on mobile devices and images taken by those devices as well. When using a python script that extracts location information from images, a user can identify the location where the picture was taken and quickly plot this location on the map.   Also beneficial is the fact that investigators can develop a script to look into every file on the mobile device; including file headers, file types, and even data and code strings.  Once these scripts are created they can be further customized or edited by the user at any time.

A perfect example of customized scripting would be, utilizing a previously written script to locate all the IP (Internet Protocol) addresses on a Facebook account by the use of regular expressions. To do this, users can simply right click on the com.facebook.katana folder and select pythonScripter.   Utilizing the browse button, users can choose the previously written script to iterate through all the files and folders and identify a particular pattern. The customized script we utilized for this example quickly located the IP pattern and displayed the file names containing various IP addresses found in the Facebook application files (Figure 5).  Users can then map these IP addresses to a map module for visualization.  (Figure 6).

IP Addresses

IP Addresses parsed

Figure 5

IP Addresses over Map

IP Pin Map

Figure 6

With the pythonScripter, the power of uncovering maximum data is at your fingertips. Prior to the development of MPE+’s pythonScripter, these advanced automated analysis capabilities were not possible.

Data carve any file, extract critical data no other tool can extract,  and put a mobile device at the scene by extracting location information quickly and automatically are just a few features that can be accomplished only with MPE+ and the pythonScripter.

The pythonScripter is just another example of how MPE+ is introducing an entirely new approach to mobile device forensics.

Posted in Training | Tagged , , , , , , | 2 Comments

Building a Solution to Today’s Problem: Mobile Device Application Overload

Crime today is no longer confined to the streets. Crimes are increasingly committed in a cyber-world. Looking back, I recalled patrolling the streets as a young officer in a Pacific Northwest city, and responding to calls for service involving domestic disturbance, burglary, robbery, grand theft, battery, and homicide. Officers receiving calls from dispatch via radio eventually transitioned to officers receiving information on mobile data terminals (MDT). We arrived on scene, did the best we could to resolve the situation, and left; later documenting the event by pen. During these calls for service, we could really see the situation for what it was. There was no Facebook, Instagram, Twitter, Ask, Secret or any other social media. The event occurred in real time. Cyber bullying, cyber stalking, and any other cyber related crimes were not part of the equation. Cybercrimes, at that time, were chalked up to the darkest form of crime, the online sexual exploitation of children. When I transitioned to the computer crimes task force, I saw first-hand how this heinous crime had no boundaries or limits. It lived in a space that was un-policed, without jurisdiction and honestly infinite. It was at that time I realized that crime would, one day, move from the streets to the realm of the digital environment; an environment with infinite possibilities and no discernible edges.

Fast forward to today. Law enforcement has a better grasp of the fact that digital evidence exists for almost every crime imaginable. However, law enforcement does not have a grasp on the “mobility” shift; the world of the mobile device application or app, and the likelihood of evidence being contained within an application’s data on a mobile device.

Currently, 91% of people worldwide use some sort of mobile device, and 82% of mobile media time is spent via an application. There are over 800,000 applications available from the Apple Store, and over 800,000 applications available from the Google Play Store. Over 16 billion photos alone have been shared via Instagram. There are over 1 billion active Facebook users worldwide. Over 200,000 Google searches are conducted every minute of every day and over 600,000 emails are sent every minute of every day. These statistics are staggering. Data from these mobile applications are stored in that application’s SQL database, located on the mobile device. Considering that a crime can be facilitated, or committed via a mobile device or mobile application, it is imperative that law enforcement be able to quickly adapt to the ever evolving world of mobile applications and mobile forensics. Access Data’s Mobile Phone Examiner Plus (MPE+) provides law enforcement with that ability through the SQL Builder.

The MPE+ SQL Builder is not an add-on tool, but a feature built into AccessData’s Mobile Phone Examiner Plus (MPE+). This feature allows the user to build custom queries simply by selecting the SQL database, the relevant table or tables, and the associated rows containing the data. These queries can be built as soon as an application is available. Users of MPE+ do not need to wait for a software upgrade to be able to process the new application’s data. Once the query is built, a user simply executes the query and the data is pulled from the database into the interface. This data can then be published into the MPE+ interface and can be immediately reported on. This feature makes every app database open for investigation and the hidden data types exposed. All other mobile forensic solutions have a limited number of applications they support but they only allow users to visualize that data. Therefore, extracting the data with these other solutions is cumbersome and difficult. With MPE+ SQL Builder, users simply create their own queries and execute on ANY and ALL applications. In essence, all applications utilizing a SQL Database are supported by MPE+. What is even better, the user can also save those queries for later use, or share them with other MPE+ users!

For example, let’s talk about using KiK Messenger as a form of communication. KiK is one of many popular communication software apps available to both Android and iOS. When over 70% of communication is via apps and not built in messaging like SMS and MMS, it is important that users can extract the data they are seeking. Using the MPE+ SQL Builder a user simply right clicks on the database file, kik.sqlite and selects SQL Builder (Figure 1).

Figure 1

The SQL Builder then opens showing the various tables within the database. (Figure 2) The ZKIKMESSAGE Table is selected and the rows are shown in the adjacent column.

Figure 2

Once the rows are selected, users can add or remove a row using the navigational arrows between columns. Users can also assign the appropriate data type to the selected row. This is critical since the data types can vary between applications. Once the data type is assigned, users can execute the query to display the parsed data below. This query can be saved for later use by selecting the Save button. (Figure 3)

Figure 3

After the data is displayed, users can still change the data type if needed and press “execute” again. This is important since Android can have numerous date and time formats. Once the data executed is complete users can publish the results to the MPE+ interface to be included in the AD1 forensic image as well as the report. (Figure 4)

Figure 4

Today, criminals are assisted in the commission of their crimes by the mobile devices and applications they use. Application evidence is critical in any and all investigations. By allowing the user to pull this important and volatile data from any SQL database, AccessData’s MPE+ has given the upper hand to the law enforcement investigator. Using MPE+ SQL Builder, the relevant evidence can be extracted and a criminal’s intentions exposed.

Staying ahead of the app, MPE+ is changing the way mobile forensics is done by introducing an entirely different approach to mobile device forensics.


Posted in Information | Tagged , , , , | 1 Comment

The Failing “Find Evidence Button”

It has been quite evident during my R&D to develop a better solution to combat the rapidly changing dynamic of smart device collections one critical observation. The days of quick and dirty forensics is over. This theme resonated at this years LegalTech New York.

Data in today’s company environment cannot be watered down and honestly acceptable when given only half the story. “We support 50 of the most current applications and deliver the application data quickly” is the common mantra. What happens when your critical incident involves an application outside of the 50 most current applications? What happens when the mission critical data is within the supported application, but the solutions’ whambam incorrectly displays or misses the critical information? The kicker is that you can clearly see the data sitting within the database! There lies the thorn in automation. Automation leads to straight lines, no deviation, no human interaction. You get what you get, so don’t throw a fit. You are a victim of the then, but we live in the now.

With over 70% of smart device users using alternative forms of chat applications to communicate it takes a very different tool that the whambam – gotta-get-it-done-with-no-questions-asked solution can deliver. A tool is needed that can be steered and customized by an examiner; one that with the changing times can immediately be altered as needed. What if an application database schema changes, updates or a new application releases that is the next SnapChat? One cannot wait for the software to update, this information is needed now. We need a tool that can be molded in a way, programmed if you will, to be a chameleon. A mobile device collection tool that allows you to process data, assign data types and immediately publish the results. Results are what our customers demand and with the MPE+ SQL Builder the results you can obtain from any application are tremendous.

During the presentation in New York last week I presented the audience with a problem (there were of course several) during the application analysis session. A device comes into your practice missing SMS/MMS, but your information says the custodian chatted every second they could.  Understanding that in today’s dynamic there are many different ways to “chat” and using the standard SMS platform on the Android device is not the most common. So, using MPE+ SQL Builder we created our own queries to conform to the needed data and recovered chats from facebook, facebook messenger, pinterest and even images from snapchat. What is interesting to note. Some of these applications are “supported” by other solutions which all failed to recover the data we were looking for.

Using MPE+ we customized with surgical precision the data we wanted and what was requested by our customer; we even saved the query for later use if we run into the same request for that application data.

I want to put a new face on the collection of this data from smart devices. I want to put the examination in the hands of the examiner, to arm them with the tools necessary to adapt and overcome data in real time. Our cases cannot wait for an update or maintenance release.

If data/upgrades/updates are not going to wait for us why should we wait for them. Use a tool that takes a new approach to mobile device forensics.

Posted in Information, Products | Tagged , , , , , , | Leave a comment

Mobile Device and Social Media Raise Your Hand

As I travel and speak at various venues on social media applications and mobile devices I always open up with a question to the audience. Typically the audience is of the type that uses Electronically Stored Information (ESI) to help solve a crime, litigate a case or remedy a corporation “situation”. I first start out by asking the audience if they utilize the data from social media during ESI discovery. As the hands rise I see the same percentage of 20% holds true across the board no matter the venue. So let us look at the percentage of those using social media evidence in ESI collections to the percentage of actual users of social media on their mobile devices. I will look at statistics to come up with a conclusion stemming from a personal two prong question to the audience of “Do you own mobile device and if so do you use any type of social media?” I will put the polling numbers from my typical talk against those found globally in several categories to test my theory and hopefully gain a better picture of our current dilemma.

Number of Mobile Devices

How many people in the audience have one mobile device? 98%

How many people in the audience have at least two mobile devices; either a tablet or cellular phone? 30%

In 2013 Nielson conducted research on the mobile consumer showing that 61%users own a smartphone and 27% of the world own at least two mobile devices.

Figure 1 Nielson Global Smartphone Insights

Furthermore there are an estimated 6.8 billion mobile subscriptions worldwide estimates The International Telecommunication Union (February 2013). That equates to 96% of the world population.

Users of Social Media via Mobile Device

How many in the audience use social media on their smart device? 70%

Globally as indicated in both the Nielson 2013 report and over 55% of social networking consumption occurs on a mobile device. Percentage average for social networking globally is 67.5% as mentioned in the article.

Figure 2 Nielson report showing percentages of users and social media and application usage with smart devices. Nielson 2013

Usage of Social Media ESI from Mobile Devices

How many in the audience have used social media ESI from a mobile device as evidence? 20%

Today, more than 95% of all information is electronic and further research indicates that almost all cases today will involve some sort or electronic evidence.

What is extremely interesting as noted by in an October 4, 2013 blog is that the pace of cases involving social media has so rapidly accelerated it has been very difficult to keep up. They identified 88 cases in just September 2013 where social media was key to the case and were published on Westlaw.

…only one percent of total cases result in published opinions…one can safely assume there were tens of thousands of more legal matters involving social media.

Further examination of the cases listed from 2010 and 2011 only two percent mention a mobile device and social media. 320 published cases so far for the first half of 2012 and only one percent mention mobile devices and social media. This is quite staggering and disappointing considering the numbers outlined below.

Putting This Together

Looking at the numbers we see that my polling numbers are very consistent with numbers gathered by marketing agencies.

98% of my attendees have a mobile device while 96% of people in the world have a mobile device.
70% of my attendees use social media on their mobile devices as compared to the 67.5% globally.
Whilst 95% of all ESI is electronic and 55% of the social media consumption occurs on a mobile device one would say this evidence is widely utilized. This is definitely not the case when looking at the mere 2% of published cases and a 20% usage by my attendees using mobile device social media evidence.

What This Comes Down To

I always follow up asking the attendees why there is such a low number of examiners, corporations, service providers and legal teams utilizing data from a mobile device. The differences in answers are quite enlightening which typically center on awareness. Some of the examples and my opinions are listed next.

  1. This ESI can be found somewhere else
    1. This is very common, but honestly Facebook data (or any data) on a mobile device is much different than on Facebook’s server or living on the custodian’s PC. Local images, cache and deleted posts along with associated applications are a few differences.
  2. Logistics
    1. Complexity, software, knowledge are but a few that can be lumped into logistics. There are very competent service providers that can help train, conduct collections and evidence analysis as well as testify to the procedures that need to be followed in a court of law.

The Take Away

Those conducting any type of investigations from legal and corporate review, HR, criminal and civil cases must understand information contained on a mobile device is much more relevant and often critical to the painted picture, especially when it comes to social media. This information can be obtained quickly and efficiently from these mobile devices, extracting critical data and analyzing the information to be used immediately or stored for retention. AccessData’s Mobile Phone Examiner Plus is one such tool.

The only question you need to ask yourself when determining if social media from a mobile device is critical to your case.

What did you do on your mobile device today?




Posted in Information | Tagged , , , , , , , | Leave a comment

What’s Up With Whatsapp

WhatsApp Messenger is a cross platform mobile application which allows you to exchange messages without paying for SMS. This information is taken from that also describes that the application can be used on the iPhone, Android, Blackberry and Windows Phone. What it does not say is that this application has now 350 million active users each month. Users can share photos, chat and more all without SMS services of the cellular carrier. What this means to you the examiner is easy, the simple automated tool that extracts the SMS is going to miss a tremendous amount of information. Moreover, if your case hinges on a message that was sent or received you should be prepared to examine this application if it exists.

Taking a look at the database that we obtained from an iOS device running iOS 7 using AccessData’s MPE+ iLogical function you can quickly see it is a SQlite database typical to all applications on iOS and Android. Let’s look at the databases in the net.whatsapp.Whatsapp folder.

Figure 1 Filesystem view

Contained in the Documents folders are both the ChatStorage.sqlite file and Contacts.sqlite. Both are self-explanatory with ChatStorage containing chats and Contacts containing the contact lists. The Library folder contains the application data as well as the Snapshots folder. This folder will hold the last screens used and are stored in a png format. This can be some great information. Typically there will be one picture of the last chat and also the last contact screen. The Media folder is a treasure trove holding any audio, video or images shared and sent via the WhatsApp application. What is even better is this information is listed in subfolders with the Whatsapp user name. The Whatsapp user name is going to be the phonenumber associated with the user. An example is shown below. The net.whatsapp.Whatsapp.plist shows the user information for the device you are examining. This contains the username, status and associated times.

Figure 2 Media folder location

The real examination comes when we look inside of the databases. Let’s first look at the Contacts.sqlite file.

The Contacts.sqlite has several tables that correspond to the buttons in the application. The favorites table uses both the WACONTACT and WAPHONE table to identify the users. Using the PHONE column in both the WAFAVORITES and WAPHONE table you can ascertain the phone number associated in the WACONTACT table to determine the full name of the Whatsapp contact. The WACONTACT table is a duplicate of the iOS device contacts at the time of accepting the access requested by WhatsApp to access the devices contacts. The most important database to an investigation is going to be the ChatStorage.sqlite file which is also located in the same directory as the Contacts.sqlite.

The ChatStorage.sqlite contains several tables as well. For brevity I am going to only speak about a few. The WACHATSESSION table lists the active chats, the last date, the name of the user and their ID. The WAMEDIAITEM table lists the location in the filesystem, geolocation and a ton of metadata associated to the media stored. The WAMEDIALOCALPATH column points to the filesystem of the device showing where that attached media item is located. Using this table along with WAMESSAGE table you can link the media to the chat session and associated user. Speaking of the WAMESSAGE table let’s get into the most important table in my opinion.

The WAMESSAGE table contains several rows of importance but we are only going talk about ISFROMME, MESSAGESTATUS, MESSAGETYPE, MEDIAITEM, MESSAGEDATE, FROMJID, PUSHNAME, TEXT and TOJID. These tables can put together a complete picture for you as an investigator. Let’s get started.

ISFROMME – This column indicates if the message originated from the active account of the database you are examining. The column will contain a 0 or a 1. 1 indicating that the message originated from the database you are examining and it’s account and if a 0 the message did not.

MESSAGESTATUS – This column indicates the status of the message. If the message that has been sent or received has been read by both parties you will see a 2. If only one party as read the message it will have a 1. If there is a 0 this has been seen to indicate part of a group message or whatsapp message. If you look at the interface and see a check next to the message the table will reflect a 1; if there are two checks you will see a 2.

MESSAGETYPE – This column indicates if the message is a regular message, contains a file, is a message from whatsapp or has location attachment. If this column contains a 0 the message contains text, 1 will contain media, 6 is a whatsapp message and 5 indicates a location was sent. The location is a media file that can be found in the stored media folder as well.

CHATSESSION – This column indicates the chat session number. This table would be used to show the entire thread of the chat session.

LASTSESSION – This column will indicate the last message in the CHATSESSION. The number is corresponds to the CHATSESSION number and is in the column to indicate that message is the last message in the thread.

MEDIAITEM – This column give the media number that corresponds to the WAMEDIAITEM table.

MESSAGEDATE – This column gives the date of the message when sent and when read by the user. This format will depend on the OS whatsapp is running. For iOS it is a MAC Date and for Android I have seen microseconds.

FROMJID and TOJID can be used to get additional information on the whatsapp users.

PUSHNAME – This column will identify the name of the username of the sending party and can be tied to the contacts database for more information on the user.

TEXT – This column contains the chat text.

Of course with any release of an application the tables and associated markers can change, so please look into the data and make sure the information contained in this document is what you are seeing.

The best part about the database is the output when you put it all together. Using AccessData’s MPE+ I am able to select the database and then the associated tables and rows and create immediate output of the data into my report.This is all done without even leaving the application. Below is an example of pulling the data from whatsapp for the geolocation, date, URL in the database folder, the name of the user that sent the media and if any text was associated with the media. This can immediately be published into a report.

Figure 3 Pulling whatsapp data sample

Another example is using AccessData’s MPE to pull the content from the message table, associate with the user and get the date of the message. What is fantastic is the fact these queries are all saved and can allow reuse over and over in your examinations.

Figure 4 Pulling message data from whatsapp

Locating and analyzing application data on smart devices is of paramount importance in today’s digital examinations. Whatsapp is only one application in a sea of millions of iOS and Android applications available for smart device users.

If you are relying on the simple automated solution to pull data from the standard locations you are missing valuable data that can be easily obtained using tools built to handle the analysis of this type of digital data.






Posted in Information, Products, Training | Tagged , , , , , , | 1 Comment

Modern day hieroglyphs.

Depending on the age of the person using SMS messaging or receiving SMS messaging you may know what an emoji is.  If you do no know what an emjoi is let me give you first the description/definition and some examples.

Wikipedia:  Emoji (絵文字, or えもじ?); Japanese pronunciation: [emodʑi] is the Japanese term for the ideograms or smileys used in Japanese electronic messages and webpages. Originally meaning pictograph, the word literally means “picture” (e) + “letter” (moji).

Some examples of these from the iPhone emoji set:
iPhone emoji



So what do these little items have to do with SMS and more than one meaning.

Since SMS is utilized more than voice in today’s world we try to infer the meaning, the tone, the attitude of each and every SMS message.  These emojis can change the meaning of once thought benign SMS to fighting words in a blink of a smiley.

A perfect example would be a simple message sent from a colleague.

what was sent:          Hey, great job today!Thumb down

what was received:   Hey, great job today!

Now of course that is not the best example, but you as a receiver of this SMS message feel pretty good about how you performed (because you did not receive the emoji), but the actual sender thought differently.  Now lets think about this as a forensic examiner.  Could a message that is sent by a nefarious sender have a different meaning if your software cannot decode the iPhone emojis?

I am coming to get you!

I am coming to get you!

I am coming to get you!

Without a doubt the SMS messages have different meanings even with the same text content.  Which one would you like to take to court?  Most likely the one with the firearm, but what if the third is the only option as so many software solutions portray.

In AccessData’s MPE+ the iPhone emojis will display in the SMS readout to help portray the meaning of the SMS message.  Using MPE+ you can see exactly what emoji was used in the SMS message. and that can help explain what the sender was intending.  In the examples below you can see there are some messages that are just emojis.  What if your software is not displaying these for you?  You might miss the entire meaning behind the SMS, since it is none existent in your report!

As you can see in these simple examples MPE+ will display the emoji that was sent along with the message.

In today’s electronic discovery you must “see” the entire picture as it relates to communication.  Communication in the world today is done via portable devices via applications and SMS so you must be prepared to decipher the modern day hieroglyphs. Having a tool that can help makes that job just a little bit easier.

Posted in Information, Training | Leave a comment