In this example, I’ve also converted the epoch time into a bit more readable format. This join is necessary, as the messages table itself does not indicate who sent the message. Let’s look at a common scenario, if for example the exchanged messages and the participants should be extracted, then the contact and messages have to be joined to through the events table using a simple inner join. From a digital forensics perspective, the most interesting ones are undoubtedly the messages, calls and the contact tables as these might hold some potential evidence about the case you are inspecting. In the current version (14.6.0), the database consists out of 15 tables, which are most interlinked through an events table (click on the image to make it bigger or open in a new tab). I was using DB Browser for SQLite, but pretty much any software such as DBeaver or HeidiSQL would do. Once located, the file can easily be loaded into a SQL lite browser of your choice. Please note that the phone number neither includes a + nor 00 for the country code, for the US this would be just 1.
0 Comments
Leave a Reply. |