Saturday, April 2, 2016

WhatsApp chat parser for Windows Phone 7.8


WhatsApp messages are stored in a SQLite3 database named messages.db in the path \Applications\Data\218A0EBB-1585-4C7E-A9EC-054CF4569A79\Data\IsolatedStore. Contacts are stored in contacts.db.


Contacts.db has no embedded pictures. Contact profile pictures are stored in the subfolder profilePictures. These files are named in the format MobileNumber@s.whatsapp.net_thumb with no file extension.


Messages are stored in the table Messages of the database messages.db. The KeyFromMe field indicates if a message was received (value 0) or sent (value 1). The same table has a field named BinaryData which contains a small thumbnail of the multimedia attachment. The table MessageMiscInfos could contain a larger thumbnail in the LargeThumbnailData field. The common field between the two tables is the MessageID.



The version number of the application is stored in the file named version. The WhatsApp version 2.11.670 shown below was released late February 2015.


Based on these findings, I wrote a script to automate the parsing. To use it, type:

wp78_wa.py messages.db

The script will create four folders named based on the generated output:


Thumbnails are saved as .jpg files with the name format:
KeyRemoteJid_MessageId_ThumbnailSize.jpg.

Each conversation is saved as a separate HTML page (each table is sortable by clicking the column header). The html_short folder contains a reduced output with just a few columns. 


If you get the error sqlite3.DatabaseError: file is encrypted or is not a database
when running the script, you have to replace the sqlite3.dll file in C:\Python27\DLLs with the most recent version available here.

4 comments:

  1. Wow, grande Gabriele! Ma che programma hai usato per aprire messages.db? Io su database in WP 8 ho provato ma nè SQLite Forensic Explorer né sqlite browser sono riusciti ad aprirlo..

    ReplyDelete
    Replies
    1. Ciao, ho usato SQLiteSpy v1.9.10 (http://www.yunqa.de/delphi/products/sqlitespy/index).

      Delete
  2. Ciao Gabriele.

    Sapresti come fare per leggere il file criptato messages.db del backup di whatsapp?

    ReplyDelete