Media captions missed by new Android Whatsapp parser and UFDR chat parser #1555
Comments
|
What IPED version are you using? If 4.0 or later, could you send me the report.xml file in root folder of the UFDR (it's a zip) privately so I can reproduce? |
|
Although I need the asked information, I took a look at one recent UFDR case here. Are you sure it isn't the opposite? Internal WhatsAppParser missing attachment titles and the external/UFED one is printing them? Seems to me it occurs when the message has some kind of text body. I think it is not related to ForwardedMessages, but it could be another issue, so sharing your triggering sample would help. PS1: I detected the same thing with internal TelegramParser missing some attachment titles when text body already exists. PS2: Conclusions above assume the UFED/UFDR results are correct, it isn't always true... Just analyzing the original WhatsApp/Telegram database to be sure. |
|
Hi, I'm simulating the occurrence on a test cell phone here so that I can send you the ufdr file. |
|
Thank you! |
For the iphone, we tested both in 4.1 and 4.07 and in both the parser that came the text/legend of the photo was the iped parser. But we are searching for more images to see if its a pattern or not. |
|
Update: we confirm that we did not find a different behavior for the iphone. the parser that came the text/legend of the photo was the iped parser. I sent you the email with the files about the LG test phone. (behavior is different) |
|
Thank you very much @gisms for creating test data to reproduce the issue! I'll take a look soon. |
|
Hi @gisms, I'm sorry for the delay here. I found some issues (like media caption missing) and some non implemented features in the internal parser for the "new" Android database schema. I'm trying to fix them and I'll notice it here. PS: The issues I found are within the IPED parser, not with the Cellebrite one. |
lfcnassif
changed the title
lfcnassif
changed the title
|
Actually, the "new" schema is changing... There was no media_caption column in the database and captions were saved in text_data column of message table. In your test sample (thanks for creating it), there is a new media_caption column in message_media table, but it is always empty and captions are still into text_data. Possibly the new column will be used in the near future... |
Update: there are a few (not all of them) messages from external parser missing captions indeed. And almost all media messages are duplicated, I'll open a separate issue for the duplication issue. |
lfcnassif
changed the title
|
Hi @gisms, I think I fixed the issue you reported and some I've found, please test if this snapshot works for your real case: Thanks |
|
I tested again all fixes above, they look fine. Please test the last snapshot pointed out above and reopen if it doesn't work for your real case, thank you for reporting and providing test data to reproduce! |
|
Hi!!!
Thank u a lot!! I will test and let you know.
🙏👍
Em sex., 10 de mar. de 2023 às 13:28, Luis Filipe Nassif <
***@***.***> escreveu:
… Closed #1555 <#1555> as
completed.
—
Reply to this email directly, view it on GitHub
<#1555 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AP4XN5TKBI4SGLCPUP2LAEDW3NJDPANCNFSM6AAAAAAVKWEMFE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Att.
Gisele Machado
|
lfcnassif
changed the title
Hey!!
We decode a Whatsapp base from a ufdr file using both the internal and external parser. Extraction referring to iphone 14, Cellebrite - PA [7.60.1.]
We noticed that when decoding a forwarded message that contains image and text, the external decoder does not parse the text. The internal decoder works correctly, as shown in the image below.
The text was updated successfully, but these errors were encountered: