Introduction
The company believes that a former employee revealed confidential client information via WhatsApp before leaving the firm. However, the employee argues that he deleted the conversation and there is no way to prove him guilty. Consequently, the investigators seize the mobile phone belonging to the former employee and give it to the forensic expert. The most pressing question that everyone wishes to have an answer to is very simple: when you delete a message on WhatsApp, is it really gone for good, or is it still on the phone?
This kind of thing happens a lot in workplace investigations, fraud cases, and even criminal investigations. When people are looking into fraudulent activities or investigating criminal matters, WhatsApp messages often serve as crucial evidence. WhatsApp is a popular messaging app, and people often use messages from WhatsApp as evidence. To figure out why we can sometimes get messages back and sometimes we cannot, we need to know how WhatsApp works under the hood.
This blog describes the data storage process within the messaging application called WhatsApp on Android and iPhone mobiles, the actual deletion process, and the methods used by forensic examiners to find any potential evidence that could be left behind. This article is intended for novice readers who have no previous experience in forensics.
How WhatsApp Stores Messages
Your WhatsApp messages that are sent or received by you will be stored in a file. This file is like a diary that you keep. Every WhatsApp message is recorded as a line in this diary. The WhatsApp messages file is basically the database file of your WhatsApp app. This database file is stored on your phone's internal storage, and its location and format differ between Android and iOS devices.
Android: msgstore.db
The chat history is stored by WhatsApp on an Android device in a file called msgstore.db. It is basically a SQLite database which is a small and popular format used for structuring data in one file only. In addition to this, WhatsApp stores daily backups in the form of encrypted files named like this: msgstore-YYYY-MM-DD.1.db.crypt15.
iOS: ChatStorage.sqlite
In an iPhone, this file takes the name ChatStorage.sqlite. Just like msgstore.db in an Android device, ChatStorage.sqlite also functions to hold all the chats, contacts, and media references within the database structure of SQLite format.
SQLite Databases and WAL Files
SQLite does not just use one file. It often works with another file called a Write-Ahead Log or WAL. When you make changes, SQLite does not write them right to the file. Instead, SQLite writes these changes to the Write-Ahead Log file first. Then it puts the data from the WAL file into the main database. This way is faster and helps keep your data safe if the power goes out suddenly. The WAL file and the main database work together to make this happen.
WAL files are really important when it comes to forensics. This is because WAL files may have copies of things like messages that people have deleted from the main part of the database. WAL files can have a lot of information like messages that are no longer visible in the main database view. So WAL files are very useful in forensics because they can contain copies of data that people thought they had deleted.
Local Encrypted Backups
Android and iOS also take periodic snapshots of your chat data, whether that is stored locally on the phone or synced into cloud services like Google Drive or iCloud. While encryption is common for such snapshots, they are a separate backup of your chat conversations that were created at some earlier time, which makes all the difference in recovery.
Evolution of WhatsApp Backup Encryption
WhatsApp's local backup format has changed considerably over time, and this matters for forensic work. The old versions of the app made backups using the Crypt12 format. This format used a consistent encryption method across all installations. It was not very complicated — the key derivation was simple and always the same everywhere. This meant that once forensic tools obtained the file, they could usually decrypt Crypt12 backups without much trouble. The Crypt12 backups were not very secure because of this.
Newer versions of WhatsApp moved to the Crypt14 format, and current installations typically use Crypt15. Both formats introduce stronger, per-installation key material, and Crypt15 in particular ties decryption to keys generated on the device and, in many cases, tied to the user's Google or Apple account credentials or a 64-digit backup encryption key the user has to set and remember. As a result, methods that worked well against Crypt12 backups do not automatically work for Crypt14 or Crypt15 files. Examiners now need to get the key material that is specific to the device or user — they cannot just use the backup file itself.
Figure 1: WhatsApp storage architecture on Android and iOS
So What Really Happens When You Delete a Message on WhatsApp?
WhatsApp gives you three ways to get rid of a message, and each one of these methods does something different with the message on your phone.
Delete for Me
The only thing that this feature will do is hide the message from your eyes. It will not alert the other participant to this action or delete the message from the other person's device. In your own mobile device, the record of the message will be deleted from the index of the database, but not necessarily from the database file itself. The underlying data remains in the database pages until those pages are overwritten by new data.
Delete for Everyone
This prompts WhatsApp to try and delete the message from all participants' phones and place "This message was deleted" instead. This is an attempt at doing so and cannot be guaranteed. The message will not be completely deleted if the receiver's phone is not online at the time of the deletion request, if the recipient has already seen the message, or if they have a local backup of that message from before the deletion attempt.
Clear Chat / Delete Chat
Clearing a chat deletes the messages from that chat only, but deletion of a chat would delete the chat itself. None of these two functions immediately destroy the data bits stored in the memory device.
Figure 2: Message deletion workflow across the three delete options
Why Deleted Messages Can Sometimes Be Recovered
Because of how SQLite and mobile storage work, a deleted message often leaves several traces behind. The design of SQLite prioritizes performance and reliability over immediate purging of data, which works in favour of forensic examiners. Here are the main reasons recovery can succeed.
SQLite Freelist Pages
As stated above, the deleted entries could be contained within freelist pages which are not yet re-used. After having obtained a decrypted version of the database using an extraction technique supported by forensic software, examiners can examine such freelist pages and often reconstruct the original content, sender, and time stamp of the messages. In encrypted-at-rest databases, however, this is only possible if one obtains the proper decryption key or a decrypted export of the database.
WAL Files
In case there is no merging of the WAL file into the primary database, it might have the complete copy of recently deleted messages which might not be visible from the primary database.
Backups
Backups are performed periodically, not constantly. A message deleted after the creation of the last backup will usually appear within the last backup file although it is no longer visible in the live chat. In case of Crypt14 and Crypt15 backups, reading the message is possible only if the right key is available.
Unallocated Storage
Deleted information may remain in unallocated areas on the broader level of phone storage (that is, apart from the information that has been deleted from the SQLite database). These are places on the storage that the operating system sees as empty, but which have not yet been overwritten by new data.
Overwriting Reduces the Chances
With increased usage of the phone post-deletion, there will be greater chances for the free storage to be utilized by other data, thereby causing destruction to the previous data stored there. Time and usage of the phone are the greatest adversaries of a successful recovery. The more the device is used after deletion, the more likely it is that deleted data will be overwritten and become permanently unrecoverable.
Simple illustration: Think of the process of erasing some writing done in pencil followed by rubbing off the eraser dust instantly. You may have no idea of what was written since the writing is invisible, but there will still be a mark left on the paper, provided nobody covers it up with a pen.
Android vs iPhone: Recovery Potential
While both platforms follow the same general storage principles, some practical differences affect how forensic examiners approach each one.
| Factor | Android | iPhone |
|---|---|---|
| Storage File | msgstore.db (SQLite) | ChatStorage.sqlite |
| Recovery Potential | Often higher, more accessible file system | Generally more restricted due to iOS sandboxing |
| Backups | Local .crypt15 files, Google Drive backup | iCloud backup, local iTunes/Finder backup |
| Security | Varies by device manufacturer and encryption setup | Strong default encryption and sandboxing |
| Limitations | Root access often needed for deep extraction | Jailbreak or advanced tools often required |
Figure 3: High-level comparison of recovery conditions on Android and iPhone
Common Digital Forensic Recovery Techniques
A range of techniques is used by forensic analysts depending on the particular device and the objectives of the investigation. Whether particular methods are even feasible and whether or not they will succeed is determined by several parameters including the version of WhatsApp, version of the operating system, lock status and encryption status of the device, presence of appropriate encryption keys, availability of backups, and use of a proper acquisition technique.
- SQLite Database Analysis: Directly parsing msgstore.db or ChatStorage.sqlite, including freelist pages, to reconstruct message history.
- WAL Analysis: Examining the Write-Ahead Log file for recent changes not yet merged into the main database.
- Backup Analysis: Decrypting and examining local backup files to recover an earlier snapshot of chats.
- Cloud Backup Analysis: Retrieving and examining backups stored on Google Drive or iCloud, where legally authorized.
- Logical Extraction: Pulling data and files from an app through device interfaces without requiring physical access to the storage.
- Physical Extraction: Making a bit-for-bit copy of everything on the device, including unallocated space. This can reveal data that is not currently being used.
- Chip-Off / ISP (In-System Programming): Specialized lab techniques used when other methods do not work, in serious cases.
Forensic suites such as Cellebrite UFED, Magnet AXIOM, Oxygen Forensic Detective, and open-source tools like Autopsy are commonly used to automate parts of this process. These tools help streamline the workflow from acquisition to analysis. The focus of this article, however, is on how data storage works rather than any specific product.
Figure 4: Simplified forensic investigation workflow
Common Myths About Deleted WhatsApp Messages
Challenges and Limitations
Recovery is never guaranteed. Several factors can make it difficult or completely impossible:
- Overwritten Database Pages: The moment the freelist space has been reallocated, the data stored therein becomes irretrievable and cannot be recovered by any known method.
- Strong Encryption: Modern encryption protocols at application and hardware levels ensure that access is not possible without the appropriate credentials. Even with the database file in hand, encrypted data may be inaccessible.
- No Available Backups: When backup was either switched off or removed, there is no previous snapshot to revert to. In such cases, recovery relies entirely on what remains in the live database.
- Factory Reset: Greatly minimizes the amount of recoverable data, particularly on encrypted devices. A factory reset followed by new data write operations makes recovery extremely unlikely.
- Unsupported or Newer Devices: Not all forensic tools are able to match new devices' features and OS versions. This is especially challenging with newly released smartphone models.
- Secure Deletion Features: Some devices or applications will overwrite the space where deleted information was stored to prevent recovery. This is becoming more common in modern smartphones.
Legal and Ethical Considerations
When performing forensic work with someone's private messages, it is a serious matter that must be handled responsibly. You have to do it the right way.
- Obtain Proper Legal Authorization: You need a warrant, the person's consent, or proper organizational authority before accessing someone's messages.
- Respect Privacy Laws: Privacy laws vary by jurisdiction, and forensic examiners must comply with all applicable regulations. These laws differ across countries, so you have to be very careful.
- Maintain Evidence Integrity: Proper chain of custody and documentation is essential to ensure findings are admissible and defensible. If someone questions your findings, you can prove that you did everything right.
- Follow Forensic Best Practices: Adhere to established guidelines such as those published by the National Institute of Standards and Technology (NIST) to ensure your findings are correct and can be trusted.
Conclusion
The removal of a message in WhatsApp from your phone does not immediately entail that the information is removed at once. There could be different ways in which the information can still exist within various parts of the phone including between freelist pages, WAL files, local backups, and unallocated space. The recoverability of such information will depend on different technical aspects specific to each case.
For all people who are dealing with digital forensics, an awareness of these principles is important to develop reasonable expectations. "Deleted" does not necessarily mean "destroyed," but it certainly does not imply automatic recovery either. It all depends on the circumstances of the case — the time elapsed since deletion, the amount of phone usage after deletion, the encryption in place, and the availability of backups all play crucial roles in determining whether recovery is possible.