Editor’s notes: Today we use many instant messenger apps like Wechat, WhatsApp to chat with our friends. And it’s not just text messages we exchange, with the development of mobile networks, now we also constantly share pictures, videos and other media files in these social apps. From the digital forensic point of view, media files shared in the chats are usually crucial evidence to an investigation. Especially when usually people tend to exchange voice messages instead of text messages.
So, how do we forensically extract media files shared in app’s chat history? In this article, SalvationDATA forensic experts will show you how it is done with our newly released mobile forensic product, Smartphone Forensic System Professional (SPF Pro).
Under what conditions can media files be extracted?
Actually, SPF Pro will always automatically extract the media files shared in app’s chat history when possible. Extracting data with most of the solutions provided in SPF Pro will include the media files automatically and requires no extra attention or operations from the users.
So why is there a dedicated Media File Extraction in the solution list, and when should we use this solution to extract data? Let’s find out in the second part of this article.
Media File Extraction
We recently posted an instruction article, introducing App Data Extraction Without Root By Using SPF Pro. In that post, we showed our customers how to load backup files to extract app data. Because media files are usually not included in a backup package but stored in the SD card, when people forget to connect the phone while extracting from backup files, the media files will be missing in your app extraction results. Media File Extraction provides a solution to that problem, by using this feature, you can link your backup extraction with a target smartphone, then SPF Pro will go to the smartphone’s SD card, extract the media files and display them in the chat history.
See below instructions to find out how this is done.
Step1. Create a backup of the target smartphone and load it into SPF Pro. This process is already introduced in our last blog post so I will not go through it again here.
Step2. Click ‘Media File Extraction’ from the solution list, and select the smartphone to link to this backup. (The smartphone you choose must be the one you created the backup from.)
Step3. Then select the target apps to extract data (messages, chat history, media files, etc.)
Step4. Wait for the process to complete, check out the extracted evidence data in Data Triage.
Let’s do a simple comparison between a Backup Extraction without a linked smartphone and a Media File Extraction. Check out the picture below, the difference is obvious. If an investigator has done a Backup Extraction without a linked smartphone, SPF Pro will not be able to locate the media files being shared in the chat. So the investigator is not able to know what pictures the people sent, or what they said in voice messages.
However, by using Media File Extraction introduced in this article, investigators can link and extract the media files, and find them in app’s chat history. So pictures, videos, voice messages and other media files shared in the chats will become accessible to the investigators, which would usually be extremely helpful for proving certain facts.
Keep following our updates and find out more wonderful features of SPF Pro! If you are interested, we welcome you to contact our team and enjoy your software trials for free!