Some deleted chats or messages not being tagged as deleted #1843
Comments
|
Has he used the internal or external parser? If the internal one, maybe those messages exist and are not deleted. IPED is able to recover deleted WA messages from iOS, but it discards corrupted or duplicated messages. PA recovers many duplicated messages and doesn't discard them... If he used the external parser, maybe some regression was introduced recently (bug) or maybe the report.xml schema in the UFDR has changed recently (not a bug but lack of support for recent UFDR versions). |
|
He was using the internal parser, I think that the messages are really deleted, but I will confirm later, because he goes to that chat after seeing a message in the log saying that the group is deleted. In physical analyzer it appears as two chats one delete with the messages and another one not deleted but without any messages. |
|
Cool! So the tool could have recovered a deleted group, that is great. Of course we should tag it as such, if it really is. |
IPED log, Whatsapp log or PA log? |
|
WhatsApp log, I'm in the Interforensics event this week, because of that I will look at this only in the next week. |
|
Don't worry, take your time and enjoy the conference! |
|
I was looking at this today, and it seems like that there is a flag in the chat database ZREMOVED that is 1 when the chat is deleted. The chat is not really deleted, I don't know if it is marked and deleted later, or if it will remain marked forever. |
|
Thanks for looking into this! If user can't see the chat in the phone screen, I think we can flag it as deleted. |
lfcnassif
changed the title
|
https://reunir.unir.net/bitstream/handle/123456789/2832/Memoria_TFM.pdf |
|
Thanks @hauck-jvsh! I just wondered if the Android parser code is reading a similar column to ZREMOVED... Could you check? |
|
Maybe there is something similar, I can take a look at this. |
|
I found the hidden flag and a archived flag, but I'm not sure what the archived flag means. One thing that I notice, there is a table deleted_chat_job, but I don't know what it means. |
|
If you tap and hold your finger on a conversation in the conversation list, WhatsApp will show some options on the top, one of them is to archive the chat. On my turn, I didn't know about hidden chats, just found the option to enable it in the contact screen. |
#1843 Better identification of deleted chats and messages
Our coligue here, João Paulo, found a case with several deleted messages. These messages are recovered and marked as delete on the Physical Analyzer, but on IPED they are shown without the deleted mark. This occurs in version 4.1.1 with an IOS device. He is processing again using version 4.1.4 to see if it is happening in the last version.
The text was updated successfully, but these errors were encountered: