dfirhub

WhatsApp

Appsv1.1

Author: Matt Dawson, SolitudePy

description

WhatsApp Local Files

paths

4 paths
AppsWhatsApp Cache
C:\Users\%user%\AppData\Roaming\WhatsApp\Cache

Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files

AppsWhatsApp Local Storage
C:\Users\%user%\AppData\Roaming\WhatsApp\Local Storage\leveldb

Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper

AppsMicrosoft Store WhatsApp Cache
C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache

Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files

AppsMicrosoft Store WhatsApp Local Storage
C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb

Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: WhatsApp
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. WhatsApp Cache
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\WhatsApp\Cache"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "WhatsApp_Cache"

# 2. WhatsApp Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "WhatsApp_Local_Storage"

# 3. Microsoft Store WhatsApp Cache
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_Store_WhatsApp_Cache"

# 4. Microsoft Store WhatsApp Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_Store_WhatsApp_Local_Storage"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

included in collections

SANS_Triage MessagingClients