WeChat data recovering might be the most common forensic job that the investigator needs to handle every day. And recovering the retracted message in WeChat is a kind of special issue since it is not the deleted message but very similar with the deleted one. As a matter of fact, the message which being retracted is invisible and hard to extract.
About the Wechat retracted message
There is a function supported by WeChat version 6.6 to 7.0 that the message could be re-edited within two minutes since retraction has been implemented; but if there was no re-edit operation, two minutes after the message will disappear in the chat history.
It means that the message is not deleted immediately but remains in some cache files even retraction has been done.
The difficulties of Wechat retracted the message
What is the resource of the retracted message being stored? Actually, the retracted messages are stored in the folder of WeChat user account as the file path: FTS5IndexMicroMsg.db-journal.
However, the mistaken operations such as device shut down by accident, reboot, log out WeChat App and so on might result in the cache files to be cleared where the retracted message exists. In that case, the retracted message can’t be recovered and the extraction job became much more difficult.
Luckily, SalvationDATA expert who is experienced with such a case now presenting some tips to recovery the retracted message:
Preparation: the accessible Android device contains the retracted message in the WeChat; WinHex tool- for reading the cache files.
Step 1, Create the retracted data that needs to be recovered. Sample image:
Step 2, Pinpoint the WeChat cache files where the retracted message stays
1) Get the “FTS5IndexMicroMsg.db-journal” file by ADB command;
2) Open and view the cache file by WinHex tool. Sample image:
Step 3, Reboot device (Don’t quit WeChat before rebooting)
1) Open WeChat after rebooting, input the test data then retract them.
2) Pinpoint the “FTS5IndexMicroMsg.db-journal” file by ADB command then analyze it by WinHex, so the target test data has been found and shown below:
1. Since the high refresh frequency has been defined by the WeChat manufacture in advance, it influences the existing status of the retracted massage in the cache files, so the final status of the recovery result acquired through the mentioned operation is unforeseeable and random, it largely depends on the actual situation of the targeted device.
2. Generally speaking, it has been tested and proved that there are two kinds of retracted messages can be recovered through the mentioned operation: 1) The cache file is stored after quitting the WeChat App; 2) The cache file stored after rebooting the device.
3. Because the diversity of the smart devices’ (brand/model/OS) makes the actual recovery result quite different, the specific recovery operation needs to be analyzed in combination with the actual situation, and the solutions are offered here for your reference.
Thanks for your time reading our blog. If you are interested in our forensic solutions, come and check out our website for more information. You can also go to our resource page to download our forensic products for free. Welcome you to contact us and ask for the free trial!