Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WhatsApp parser may lose recent messages #1791

Closed
wladimirleite opened this issue Jul 29, 2023 · 3 comments · Fixed by #1792
Closed

WhatsApp parser may lose recent messages #1791

wladimirleite opened this issue Jul 29, 2023 · 3 comments · Fixed by #1792
Assignees
@wladimirleite
Labels
bug

Comments

@wladimirleite
Copy link
Member

wladimirleite commented Jul 29, 2023
edited

While working in a real case, I found important WhatsApp messages extracted from UFDR that were visible in Physical Analyzer but were not included in IPED's chat HTML. They were the most recent messages present on the device.
 
This is another tricky issue...
I found out that the messages came from the WAL (write-ahead log) that sometimes is present together (same folder and name, with suffix "-wal") with WhatsApp SQLite database.
IPED missed the WAL file, while PA handled it, although IPED's WA parser (and SQLite parsers in general) handles WAL files.
The issue was caused by the incorrect identification of the WAL file.
In this particular case, an image was embedded in the WAL file, which created two items (a folder and the image itself) with the names also found by the query that searches for the WAL file with the same path, as shown in the following image:
image
The parser found that the folder was the WAL file, missing the information contained in the actual WAL file.

I believe this issue is not very common, however it may happen not only with WhatsApp parser but any SQLite parser.
I will submit a PR making the search for the matching WAL a bit more robust.

EDIT: This issue may also affect SQLite journal files, which use the same search code.
@wladimirleite wladimirleite self-assigned this Jul 29, 2023
@lfcnassif
Copy link
Member

Good catch! Thanks @tc-wleite for reporting and investigating this! This may deserve another release, what do you think?

@wladimirleite
Copy link
Member Author

This may deserve another release, what do you think?

I don't think this issue is very common, but it can be critical when it happens, so maybe it justifies another release.
If you decide to do that, including #1782 would be nice for us here.

@lfcnassif
Copy link
Member

I don't think this issue is very common, but it can be critical when it happens, so maybe it justifies another release.
If you decide to do that, including #1782 would be nice for us here.

It seems related to the way PA software deals with WAL files, shouldn't happen in original evidences. But since we process a lot of UFDR reports, it may be worthy.

wladimirleite added a commit that referenced this issue Jul 29, 2023
@wladimirleite
'#1791: Ignore folders and items with different names in WAL search.
c8534a8
@wladimirleite wladimirleite mentioned this issue Jul 29, 2023
Merged
lfcnassif added a commit that referenced this issue Jul 29, 2023
@lfcnassif
Merge pull request #1792 from sepinf-inc/#1791_FixWALSearch
4b997b4 
Ignore folders and items with different names in WAL search (#1791)
lfcnassif pushed a commit that referenced this issue Aug 11, 2023
@wladimirleite @lfcnassif
'#1791: Ignore folders and items with different names in WAL search.
8a622d0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wladimirleite wladimirleite

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ignore folders and items with different names in WAL search (#1791) sepinf-inc/IPED
2 participants
@wladimirleite @lfcnassif