Whatsapp ChatSearch...
 
Notifications
Clear all

Whatsapp ChatSearchV3 sqlite database

13 Posts
6 Users
0 Likes
5,506 Views
(@chillichicken)
Posts: 5
Active Member
Topic starter
 

Hello All,

I wonder if any of you could point me in the right direction of finding the actual purpose of the whatsapp database 'ChatSearchV3'. I have found some chat content relating to an investigation in this database but not in 'ChatStorage'. My suspicion is that the conversation was deleted but perhaps whatsapp still keeps the data in ChatSearch. It sounds like it's some sort of a indexing table but I want to read more about it to make sure I understand it.

I appreciate any input.

Thank you in advance.

 
Posted : 20/06/2018 8:23 am
(@pcook8198)
Posts: 20
Eminent Member
 

I would suggest its the search function within WhatsApp. On Android if you open your conversation view, at the top is a Magnifying Glass (search function).

Typing words in there brings up messages (from all current chats) which contain the the words you searched.

Therefore any chats deleted after the search will have the searched items referenced in the ChatSearch V3 table. So not the full conversation but only messages containing the searched items.

Hope this helps a little.

I'm currently running some test to confirm this.

 
Posted : 21/06/2018 10:18 am
(@chillichicken)
Posts: 5
Active Member
Topic starter
 

I would suggest its the search function within WhatsApp. On Android if you open your conversation view, at the top is a Magnifying Glass (search function).

Typing words in there brings up messages (from all current chats) which contain the the words you searched.

Therefore any chats deleted after the search will have the searched items referenced in the ChatSearch V3 table. So not the full conversation but only messages containing the searched items.

Hope this helps a little.

I'm currently running some test to confirm this.

This is really helpful. Thank you very much. I will do some tests on this too. Let me know if your tests reveal anything. Thanks again.

 
Posted : 21/06/2018 10:56 am
(@pcook8198)
Posts: 20
Eminent Member
 

What handset is it recovered from and what OS and what version of WhatsApp

Im Looking at an apple 6s iOS 10.3.1

Within the database I see no search terms.

I am therefore thinking that your original assessment of an index of messages is looking good.

I have messages from live chats

And

Messages from chats which are deleted recovered

and

Messages from chats which no longer exists.

Its a very interesting scenario

 
Posted : 21/06/2018 11:46 am
(@chillichicken)
Posts: 5
Active Member
Topic starter
 

What handset is it recovered from and what OS and what version of WhatsApp

Im Looking at an apple 6s iOS 10.3.1

Within the database I see no search terms.

I am therefore thinking that your original assessment of an index of messages is looking good.

I have messages from live chats

And

Messages from chats which are deleted recovered

and

Messages from chats which no longer exists.

Its a very interesting scenario

Oh wow, It's an iPhone 8+.

I find it very strange that forensic software AXIOM or UFED did not extract this information from the ChatSearchV3 database. Surely, if deleted messages can be recovered from this table, it's forensically significant.

 
Posted : 21/06/2018 1:02 pm
(@pcook8198)
Posts: 20
Eminent Member
 

I totally agree with you.

The main stream software concentrates on the actual databases where for want of a better term the data sits re messaging.

They do not look at all databases relating to an application.

Hence a good rummage through all databases is very worthwhile.

PS each message in the "docs_content" Table has a "docid" associated to it. This id in the "metadata" table has a date / time value (seconds from 2001)

Also it looks like the "c1Chatsession" column relates to the chat the message is associated too.

If a group chat the first part is the id of the chat creator. ie 44111111111-1012345678@g.us

Ie the 4411111111 is the creator of the group chat
I think the 1012345678 is a unique ID
together they make up the chat ID

Therefore with out the original chat it is difficult to say who sent the message(re data in the chat chatsearch db)

an ID of 4411111111@s.whatsapp.net is purely a chat with only two individuals. ie the handset being examined and the "other party".

The id should be the telephone number of the "other party"

 
Posted : 21/06/2018 1:45 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

The chatsearch database is a secondary DB that whatsapp uses to hold the tables created by the SQLite Full Text Search (FTS) extension.

There is a section in my SQLite book about FTS.

Essentially the docid in the docs_content table relates to the zdocid in the chatstorage.zwamessage table. The c2content table in chatsearch relates to the text column on zwamessage.

I don't know when WhastApp causes the FTS table to be populated, or how often/when it is updated. It seems to be quite common to get message snippets in the FTS table that are deleted in the zwamessage table.

 
Posted : 21/06/2018 10:23 pm
(@pcook8198)
Posts: 20
Eminent Member
 

Hi Paul

Fantastic.

We've been scratching our collective brain cell to figure it out.

Very much appreciated.

Kind regards

Paul

 
Posted : 22/06/2018 5:47 am
(@chillichicken)
Posts: 5
Active Member
Topic starter
 

The chatsearch database is a secondary DB that whatsapp uses to hold the tables created by the SQLite Full Text Search (FTS) extension.

There is a section in my SQLite book about FTS.

Essentially the docid in the docs_content table relates to the zdocid in the chatstorage.zwamessage table. The c2content table in chatsearch relates to the text column on zwamessage.

I don't know when WhastApp causes the FTS table to be populated, or how often/when it is updated. It seems to be quite common to get message snippets in the FTS table that are deleted in the zwamessage table.

Perfect! Thank you very much! We've got the book so will do further reading on this.

 
Posted : 25/06/2018 8:57 am
(@chillichicken)
Posts: 5
Active Member
Topic starter
 

Hi Paul

Fantastic.

We've been scratching our collective brain cell to figure it out.

Very much appreciated.

Kind regards

Paul

Thank you for your help, Paul. I'm glad you were intrigued by this as much as I was.

 
Posted : 25/06/2018 8:58 am
Page 1 / 2
Share: