Introduction

The company believes that a former employee revealed confidential client information via WhatsApp before leaving the firm. However, the employee argues that he deleted the conversation and there is no way to prove him guilty. Consequently, the investigators seize the mobile phone belonging to the former employee and give it to the forensic expert. The most pressing question that everyone wishes to have an answer to is very simple: when you delete a message on WhatsApp, is it really gone for good, or is it still on the phone?

This kind of thing happens a lot in workplace investigations, fraud cases, and even criminal investigations. When people are looking into fraudulent activities or investigating criminal matters, WhatsApp messages often serve as crucial evidence. WhatsApp is a popular messaging app, and people often use messages from WhatsApp as evidence. To figure out why we can sometimes get messages back and sometimes we cannot, we need to know how WhatsApp works under the hood.

This blog describes the data storage process within the messaging application called WhatsApp on Android and iPhone mobiles, the actual deletion process, and the methods used by forensic examiners to find any potential evidence that could be left behind. This article is intended for novice readers who have no previous experience in forensics.

How WhatsApp Stores Messages

Your WhatsApp messages that are sent or received by you will be stored in a file. This file is like a diary that you keep. Every WhatsApp message is recorded as a line in this diary. The WhatsApp messages file is basically the database file of your WhatsApp app. This database file is stored on your phone's internal storage, and its location and format differ between Android and iOS devices.

Android: msgstore.db

The chat history is stored by WhatsApp on an Android device in a file called msgstore.db. It is basically a SQLite database which is a small and popular format used for structuring data in one file only. In addition to this, WhatsApp stores daily backups in the form of encrypted files named like this: msgstore-YYYY-MM-DD.1.db.crypt15.

iOS: ChatStorage.sqlite

In an iPhone, this file takes the name ChatStorage.sqlite. Just like msgstore.db in an Android device, ChatStorage.sqlite also functions to hold all the chats, contacts, and media references within the database structure of SQLite format.

SQLite Databases and WAL Files

SQLite does not just use one file. It often works with another file called a Write-Ahead Log or WAL. When you make changes, SQLite does not write them right to the file. Instead, SQLite writes these changes to the Write-Ahead Log file first. Then it puts the data from the WAL file into the main database. This way is faster and helps keep your data safe if the power goes out suddenly. The WAL file and the main database work together to make this happen.

WAL files are really important when it comes to forensics. This is because WAL files may have copies of things like messages that people have deleted from the main part of the database. WAL files can have a lot of information like messages that are no longer visible in the main database view. So WAL files are very useful in forensics because they can contain copies of data that people thought they had deleted.

Local Encrypted Backups

Android and iOS also take periodic snapshots of your chat data, whether that is stored locally on the phone or synced into cloud services like Google Drive or iCloud. While encryption is common for such snapshots, they are a separate backup of your chat conversations that were created at some earlier time, which makes all the difference in recovery.

Evolution of WhatsApp Backup Encryption

WhatsApp's local backup format has changed considerably over time, and this matters for forensic work. The old versions of the app made backups using the Crypt12 format. This format used a consistent encryption method across all installations. It was not very complicated — the key derivation was simple and always the same everywhere. This meant that once forensic tools obtained the file, they could usually decrypt Crypt12 backups without much trouble. The Crypt12 backups were not very secure because of this.

Newer versions of WhatsApp moved to the Crypt14 format, and current installations typically use Crypt15. Both formats introduce stronger, per-installation key material, and Crypt15 in particular ties decryption to keys generated on the device and, in many cases, tied to the user's Google or Apple account credentials or a 64-digit backup encryption key the user has to set and remember. As a result, methods that worked well against Crypt12 backups do not automatically work for Crypt14 or Crypt15 files. Examiners now need to get the key material that is specific to the device or user — they cannot just use the backup file itself.

Modern encryption note: On recent versions of WhatsApp, the messages you send and receive are locked with a special code when they are stored on your phone. Only while the app is open can it unlock these messages so you can read them. As soon as you close the app, the messages are locked again with the special code. This is a change from what people used to think — that anyone could read your WhatsApp messages if they got a copy of the database file. This means that WhatsApp messages are now kept safe from people who should not see them, even if they obtain a copy of the database file.
Android msgstore.db (SQLite) + daily .crypt15 backup iPhone ChatStorage.sqlite + iCloud / local backup SQLite Main DB SQLite Main DB WAL File Both platforms follow the same core pattern: a SQLite database, a WAL buffer, and periodic backups

Figure 1: WhatsApp storage architecture on Android and iOS

So What Really Happens When You Delete a Message on WhatsApp?

WhatsApp gives you three ways to get rid of a message, and each one of these methods does something different with the message on your phone.

Delete for Me

The only thing that this feature will do is hide the message from your eyes. It will not alert the other participant to this action or delete the message from the other person's device. In your own mobile device, the record of the message will be deleted from the index of the database, but not necessarily from the database file itself. The underlying data remains in the database pages until those pages are overwritten by new data.

Delete for Everyone

This prompts WhatsApp to try and delete the message from all participants' phones and place "This message was deleted" instead. This is an attempt at doing so and cannot be guaranteed. The message will not be completely deleted if the receiver's phone is not online at the time of the deletion request, if the recipient has already seen the message, or if they have a local backup of that message from before the deletion attempt.

Clear Chat / Delete Chat

Clearing a chat deletes the messages from that chat only, but deletion of a chat would delete the chat itself. None of these two functions immediately destroy the data bits stored in the memory device.

User Taps Delete Message selected DB Record Removed from index Hidden from chat UI Page → Freelist Marked reusable Overwritten (eventually) Delete for Me Delete for Everyone Clear / Delete Chat All three actions hide the message before the underlying data is ever overwritten

Figure 2: Message deletion workflow across the three delete options

Why Deleted Messages Can Sometimes Be Recovered

Because of how SQLite and mobile storage work, a deleted message often leaves several traces behind. The design of SQLite prioritizes performance and reliability over immediate purging of data, which works in favour of forensic examiners. Here are the main reasons recovery can succeed.

SQLite Freelist Pages

As stated above, the deleted entries could be contained within freelist pages which are not yet re-used. After having obtained a decrypted version of the database using an extraction technique supported by forensic software, examiners can examine such freelist pages and often reconstruct the original content, sender, and time stamp of the messages. In encrypted-at-rest databases, however, this is only possible if one obtains the proper decryption key or a decrypted export of the database.

WAL Files

In case there is no merging of the WAL file into the primary database, it might have the complete copy of recently deleted messages which might not be visible from the primary database.

Backups

Backups are performed periodically, not constantly. A message deleted after the creation of the last backup will usually appear within the last backup file although it is no longer visible in the live chat. In case of Crypt14 and Crypt15 backups, reading the message is possible only if the right key is available.

Unallocated Storage

Deleted information may remain in unallocated areas on the broader level of phone storage (that is, apart from the information that has been deleted from the SQLite database). These are places on the storage that the operating system sees as empty, but which have not yet been overwritten by new data.

Overwriting Reduces the Chances

With increased usage of the phone post-deletion, there will be greater chances for the free storage to be utilized by other data, thereby causing destruction to the previous data stored there. Time and usage of the phone are the greatest adversaries of a successful recovery. The more the device is used after deletion, the more likely it is that deleted data will be overwritten and become permanently unrecoverable.

Simple illustration: Think of the process of erasing some writing done in pencil followed by rubbing off the eraser dust instantly. You may have no idea of what was written since the writing is invisible, but there will still be a mark left on the paper, provided nobody covers it up with a pen.

Android vs iPhone: Recovery Potential

While both platforms follow the same general storage principles, some practical differences affect how forensic examiners approach each one.

FactorAndroidiPhone
Storage Filemsgstore.db (SQLite)ChatStorage.sqlite
Recovery PotentialOften higher, more accessible file systemGenerally more restricted due to iOS sandboxing
BackupsLocal .crypt15 files, Google Drive backupiCloud backup, local iTunes/Finder backup
SecurityVaries by device manufacturer and encryption setupStrong default encryption and sandboxing
LimitationsRoot access often needed for deep extractionJailbreak or advanced tools often required
Android Open file system Root access unlocks more Manufacturer-dependent security iPhone Sandboxed file system Jailbreak often required Strong default encryption vs

Figure 3: High-level comparison of recovery conditions on Android and iPhone

Common Digital Forensic Recovery Techniques

A range of techniques is used by forensic analysts depending on the particular device and the objectives of the investigation. Whether particular methods are even feasible and whether or not they will succeed is determined by several parameters including the version of WhatsApp, version of the operating system, lock status and encryption status of the device, presence of appropriate encryption keys, availability of backups, and use of a proper acquisition technique.

  • SQLite Database Analysis: Directly parsing msgstore.db or ChatStorage.sqlite, including freelist pages, to reconstruct message history.
  • WAL Analysis: Examining the Write-Ahead Log file for recent changes not yet merged into the main database.
  • Backup Analysis: Decrypting and examining local backup files to recover an earlier snapshot of chats.
  • Cloud Backup Analysis: Retrieving and examining backups stored on Google Drive or iCloud, where legally authorized.
  • Logical Extraction: Pulling data and files from an app through device interfaces without requiring physical access to the storage.
  • Physical Extraction: Making a bit-for-bit copy of everything on the device, including unallocated space. This can reveal data that is not currently being used.
  • Chip-Off / ISP (In-System Programming): Specialized lab techniques used when other methods do not work, in serious cases.

Forensic suites such as Cellebrite UFED, Magnet AXIOM, Oxygen Forensic Detective, and open-source tools like Autopsy are commonly used to automate parts of this process. These tools help streamline the workflow from acquisition to analysis. The focus of this article, however, is on how data storage works rather than any specific product.

Seize Device Acquire Image Parse SQLite / WAL Reconstruct Chats Report

Figure 4: Simplified forensic investigation workflow

Common Myths About Deleted WhatsApp Messages

Myth: "Delete for Everyone" removes all evidence forever.
Reality: It just asks the recipients' devices to remove it. Copies might still be in backups, notifications, or on devices that were offline at the time.
Myth: You can always recover deleted messages.
Reality: It depends on when you try, how you use your device, whether encryption is enabled, and if the storage space has been overwritten.
Myth: Factory reset makes all data disappear.
Reality: It wipes the files, but some bits might still be found with specialized tools. This is not easy and not guaranteed.
Myth: End-to-end encryption stops investigators.
Reality: It protects messages in transit between devices. WhatsApp keeps your database encrypted and only decodes it when the app is running. Investigators still need the right encryption key or a lawful copy of the data.
Myth: Deleted chats immediately disappear from storage.
Reality: Deleted records move to free space first. They are only truly gone when that space is overwritten by new data.

Challenges and Limitations

Recovery is never guaranteed. Several factors can make it difficult or completely impossible:

  • Overwritten Database Pages: The moment the freelist space has been reallocated, the data stored therein becomes irretrievable and cannot be recovered by any known method.
  • Strong Encryption: Modern encryption protocols at application and hardware levels ensure that access is not possible without the appropriate credentials. Even with the database file in hand, encrypted data may be inaccessible.
  • No Available Backups: When backup was either switched off or removed, there is no previous snapshot to revert to. In such cases, recovery relies entirely on what remains in the live database.
  • Factory Reset: Greatly minimizes the amount of recoverable data, particularly on encrypted devices. A factory reset followed by new data write operations makes recovery extremely unlikely.
  • Unsupported or Newer Devices: Not all forensic tools are able to match new devices' features and OS versions. This is especially challenging with newly released smartphone models.
  • Secure Deletion Features: Some devices or applications will overwrite the space where deleted information was stored to prevent recovery. This is becoming more common in modern smartphones.

Legal and Ethical Considerations

When performing forensic work with someone's private messages, it is a serious matter that must be handled responsibly. You have to do it the right way.

  • Obtain Proper Legal Authorization: You need a warrant, the person's consent, or proper organizational authority before accessing someone's messages.
  • Respect Privacy Laws: Privacy laws vary by jurisdiction, and forensic examiners must comply with all applicable regulations. These laws differ across countries, so you have to be very careful.
  • Maintain Evidence Integrity: Proper chain of custody and documentation is essential to ensure findings are admissible and defensible. If someone questions your findings, you can prove that you did everything right.
  • Follow Forensic Best Practices: Adhere to established guidelines such as those published by the National Institute of Standards and Technology (NIST) to ensure your findings are correct and can be trusted.

Conclusion

The removal of a message in WhatsApp from your phone does not immediately entail that the information is removed at once. There could be different ways in which the information can still exist within various parts of the phone including between freelist pages, WAL files, local backups, and unallocated space. The recoverability of such information will depend on different technical aspects specific to each case.

For all people who are dealing with digital forensics, an awareness of these principles is important to develop reasonable expectations. "Deleted" does not necessarily mean "destroyed," but it certainly does not imply automatic recovery either. It all depends on the circumstances of the case — the time elapsed since deletion, the amount of phone usage after deletion, the encryption in place, and the availability of backups all play crucial roles in determining whether recovery is possible.