Introduction
Mobile applications store a wealth of information that can be crucial evidence in investigations. From instant messaging apps to banking applications, understanding how to extract and analyze app artifacts is essential for any cyber crime investigator. This part covers forensic analysis of popular apps used in India.
By the end of this part, you will be able to extract and analyze artifacts from WhatsApp, social media apps, banking applications, browsers, and location/GPS data.
WhatsApp Forensics
WhatsApp is the most popular messaging application in India with over 500 million users. It is frequently involved in cyber crime investigations.
WhatsApp Data Locations
# Android WhatsApp Data Locations
/data/data/com.whatsapp/
databases/msgstore.db # Messages
databases/wa.db # Contacts
databases/axolotl.db # Encryption keys
shared_prefs/ # Settings, phone number
files/key # Encryption key file
# External Storage (accessible without root)
/sdcard/WhatsApp/
Databases/msgstore.db.crypt14 # Encrypted backup
Media/ # Shared media files
Backups/ # Manual backups
# iOS WhatsApp Locations
AppDomain-group.net.whatsapp.WhatsApp.shared/
ChatStorage.sqlite
ContactsV2.sqlite
Key WhatsApp Artifacts
Messages (msgstore.db)
All chat messages including text, timestamps, sender/receiver, read receipts, and message status.
Contacts (wa.db)
WhatsApp contacts with phone numbers, display names, profile pictures, and status.
Media Files
Shared photos, videos, voice notes, documents in /Media/ folder with metadata.
Call Logs
Voice and video call history stored in msgstore.db (messages_calls table).
WhatsApp Message Database Queries
-- Key tables in msgstore.db
-- messages: Main message content
-- chat: Chat/conversation info
-- messages_calls: Call logs
-- Extract all messages with timestamps
SELECT
key_remote_jid as contact,
data as message,
datetime(timestamp/1000, 'unixepoch', 'localtime') as time,
CASE key_from_me WHEN 0 THEN 'Received' ELSE 'Sent' END as direction
FROM messages
WHERE data IS NOT NULL
ORDER BY timestamp DESC;
-- Extract call logs
SELECT
jid.raw_string as contact,
CASE call_result WHEN 0 THEN 'Outgoing' ELSE 'Incoming' END as type,
datetime(timestamp/1000, 'unixepoch', 'localtime') as time,
duration
FROM messages_calls
JOIN jid ON messages_calls.jid_row_id = jid._id
ORDER BY timestamp DESC;
-- Find deleted messages (message_type = 5 indicates deleted)
SELECT * FROM messages WHERE message_type = 5;
WhatsApp Encryption
- End-to-End Encryption: Messages encrypted in transit using Signal Protocol
- Local Database: msgstore.db in /data/data/ is unencrypted (with root access)
- Backup Encryption: .crypt14 backups encrypted with key from Google account
- Key File: /files/key contains decryption key (requires root)
Encrypted backups (.crypt14/.crypt15) require the key from the Google Drive account (or extracted key file). Tools like WhatsApp Viewer, wa-crypt-tools can decrypt backups if you have the key. Without credentials or key file, decryption is extremely difficult.
Social Media Apps
Social media applications store significant amounts of user data that can be valuable in investigations.
Facebook/Facebook Messenger
| Artifact | Location (Android) | Content |
|---|---|---|
| Messages | /data/data/com.facebook.orca/databases/threads_db2 | Messenger conversations |
| Contacts | /data/data/com.facebook.orca/databases/contacts_db2 | Facebook contacts |
| Cache | /data/data/com.facebook.katana/cache/ | Cached images, posts |
| Notifications | /data/data/com.facebook.katana/databases/notifications_db | Notification history |
# Instagram Data Locations (Android)
/data/data/com.instagram.android/
databases/direct.db # Direct messages
shared_prefs/ # Account info, settings
cache/ # Cached images, stories
# Key SQL queries for direct.db
-- Extract DM conversations
SELECT * FROM messages ORDER BY timestamp DESC;
-- Extract contacts
SELECT * FROM users;
Telegram
- Database: /data/data/org.telegram.messenger/files/cache4.db
- Media: /sdcard/Telegram/ (images, videos, documents)
- Secret Chats: Stored separately with additional encryption
- Challenge: Telegram uses custom encryption, requires specialized tools
Twitter/X
# Twitter Data Locations
/data/data/com.twitter.android/
databases/[user_id]-66.db # Tweets, DMs
cache/ # Image cache
# Key tables
- statuses: Tweets
- direct_messages: DM conversations
- users: User profiles
In a harassment case, investigators extracted Instagram DMs showing threatening messages. The timestamps correlated with the victim's report. Cache files revealed deleted story views confirming the suspect was monitoring the victim's account.
Banking & Payment Apps
Banking and payment applications contain highly sensitive financial data. Understanding their storage is important for fraud investigations.
UPI Apps (PhonePe, Google Pay, Paytm)
Transaction History
UPI transaction records including amount, timestamp, UPI ID, and transaction status.
Account Details
Linked bank accounts, UPI handles, and contact payment history.
Contact History
Recent payment recipients and frequently contacted UPI IDs.
Security Logs
Login attempts, PIN changes, and device binding information.
PhonePe Data Locations
# PhonePe Data (Android)
/data/data/com.phonepe.app/
databases/ # Transaction databases
shared_prefs/ # Account preferences
# Note: Most sensitive data is encrypted
# Transaction details often server-side
# May need to request from service provider
Google Pay (Tez) Artifacts
- Package: com.google.android.apps.nbu.paisa.user
- Transaction Cache: May contain recent transaction metadata
- Account Info: Linked Gmail, phone number, bank accounts
- Server-Side: Most transaction data stored on Google servers
Paytm Artifacts
# Paytm Data (Android)
/data/data/net.one97.paytm/
databases/paytm.db # Local transactions
shared_prefs/ # User preferences
files/ # Cached data
# Paytm Payments Bank
/data/data/com.paytmbank/ # Banking app data
Banking apps use multiple security layers: certificate pinning, encrypted storage, root detection, and server-side storage. Local data extraction may yield limited information. Complete transaction records typically require formal requests to the financial institution or NPCI.
Browser Artifacts
Mobile browsers store browsing history, downloads, cookies, and cached content that can reveal user activities.
Chrome Browser (Android)
# Chrome Data Location
/data/data/com.android.chrome/app_chrome/Default/
History # Browsing history
Cookies # Session cookies
Web Data # Autofill, passwords
Login Data # Saved logins
Bookmarks # Bookmarked pages
Top Sites # Frequently visited
# SQL Query for browsing history
SELECT
url,
title,
datetime(last_visit_time/1000000-11644473600, 'unixepoch', 'localtime') as visit_time,
visit_count
FROM urls
ORDER BY last_visit_time DESC;
Safari (iOS)
# Safari Data in iOS Backup
HomeDomain-Library/Safari/
History.db # Browsing history
Bookmarks.db # Bookmarks
SuspendState.plist # Open tabs
# History.db query
SELECT
history_items.url,
history_visits.title,
datetime(history_visits.visit_time + 978307200, 'unixepoch', 'localtime')
FROM history_items
JOIN history_visits ON history_items.id = history_visits.history_item
ORDER BY visit_time DESC;
Browser Forensic Value
| Artifact | Investigative Value |
|---|---|
| Browsing History | Websites visited, search queries, access times |
| Downloads | Downloaded files, sources, timestamps |
| Cookies | Login sessions, site preferences, tracking |
| Cached Content | Viewed images, pages even after history cleared |
| Autofill Data | Addresses, names, payment info entered |
| Saved Passwords | Credentials for websites (encrypted) |
GPS & Location Data
Location data can establish where a device (and likely its user) was at specific times, crucial for alibi verification or placing suspects at crime scenes.
Sources of Location Data
Cell Tower Records
CDR/IPDR from telecom operators showing cell tower connections over time.
GPS History
Precise coordinates from GPS-enabled apps like Google Maps, navigation apps.
WiFi Connections
History of WiFi networks connected reveals location history.
Photo Geotags
EXIF metadata in photos contains GPS coordinates where photo was taken.
Google Location History
# Google Location History (Android)
/data/data/com.google.android.gms/databases/
gmscore.db # Location data
# Google Maps cache
/data/data/com.google.android.apps.maps/
databases/gmm_myplaces.db # Saved places
databases/gmm_storage.db # Search/navigation history
# Cloud alternative: Request from Google Takeout
# Location History as JSON with all coordinates
iOS Location Data
# iOS Significant Locations
HomeDomain-Library/Caches/
com.apple.routined/Cache.sqlite
# Cell tower and WiFi locations
RootDomain-Library/Caches/locationd/
consolidated.db # Location cache
# Note: iOS 14+ has increased privacy controls
# Significant Locations requires device passcode to view
Photo EXIF Data
# Extract GPS from photo EXIF
# Using ExifTool
exiftool -gps* photo.jpg
# Key EXIF tags:
GPS Latitude: 28.6139 N
GPS Longitude: 77.2090 E
GPS Altitude: 216 m
GPS DateTime: 2025:03:15 14:30:00
# Python extraction
from PIL import Image
from PIL.ExifTags import TAGS, GPSTAGS
# Extract and convert GPS coordinates
In an extortion case, the suspect claimed to be in a different city at the time of the threat calls. Google Location History from the suspect's phone showed precise GPS coordinates placing him near the victim's residence during the calls. Photo metadata from the same day showed matching locations.
App Forensic Tools
Various tools help automate app artifact extraction and analysis.
Open Source Tools
| Tool | Purpose | Features |
|---|---|---|
| ALEAPP | Android Log Parser | Parses 200+ Android artifacts including apps |
| iLEAPP | iOS Log Parser | Comprehensive iOS artifact extraction |
| WhatsApp Viewer | WhatsApp Analysis | Opens and displays WhatsApp databases |
| SQLite Browser | Database Viewer | General SQLite database examination |
| ExifTool | Metadata Extraction | Extract EXIF from photos including GPS |
Commercial Tools
- Cellebrite UFED/PA: Comprehensive app parsing with auto-decryption
- Oxygen Forensic: Deep app analysis, cloud extraction
- Magnet AXIOM: Integrated app artifact parser, AI analysis
- MSAB XRY: Mobile forensics with app analysis modules
- WhatsApp data in /data/data/com.whatsapp/ (root) and /sdcard/WhatsApp/ (backup)
- msgstore.db contains messages; wa.db contains contacts; .crypt14 backups need key
- Social media apps (Facebook, Instagram, Telegram) store data in app-specific databases
- Banking/UPI apps use heavy encryption; complete data often requires provider requests
- Browser history in SQLite databases (History, Cookies, Web Data files)
- Chrome timestamp: (value/1000000) - 11644473600 for Unix time
- Location data from: GPS apps, WiFi history, photo EXIF, cell tower logs
- Google Location History provides comprehensive location timeline
- Use ALEAPP/iLEAPP for automated artifact parsing