Digital Forensic On WeChat On Android Essay


Discuss about the Digital Forensic on WeChat on Android.



The selected topic is forensic analysis of WeChat on Android phones. In the whole world, WeChat can be considered as one of the most used IM or instant messaging android application. By 2015, WeChat achieved six-hundred and ninety seven million of users from all over two hundred countries. The article has presented WeChat forensic through five stages such as installation path and data acquisition, decrypting the message database, communication of records, moments and conversion of audio file format. The use of the world wide based application is being extensively increasing each year. Moreover, various criminals are currently using the application for illegal activities. The application has two basic functionalities such as chat and moments. In the chat section, the user communicate with other person and in the moments section, the user shares the life events.

Wu et al. (2017) has provided various information regarding the forensic of the application on the android devices and analyzed all those gathered data into bounded parameter. This study has reviewed all those information that was provided into the journal. Moreover, critically reviews the process of investigating and data gathering process of the author. For better understanding of the topic various other journals have been accessed and information gathered from those articles has also been included into this study. The comparison between the information provided in the articles can be visualized into the study.

This study includes the information gathered from various articles regarding the forensic investigation of WeChat. The actual study is based on the data gathered by various articles during investigation of WeChat on android devices. These investigations are the process of acquiring data of WeChat and decoding the encrypted database, what was communicated by the user and whom did he/she communicate and the information shred through the moments.

Development: Installation paths and data acquisition

For the installation of the Wechat application ann installation path is required to be specified on the android device and by default the path of the application is set as “/data/data/” and “/sdcard/Tencent/MicroMsg”. The sub directories are created in the installation location for storing the chat records and the media files. For storing the configuration of the application “” is used. It acts as the database of the application and the authentication of the users and cache data are also stored here. The directory created MicroMsg is used for storing the record of the user and activity in WeChat (Wu et al., 2017). A unique number is created in WeChat for representing the identity of the user and a personal data folder is created in the installed location “/data/data/”. Encryption is applied and the personal folder appears using the MD5 number transformed from the user unique ID. The user directory is also used for storing the multimedia files under the path “/sdcard/Tencent/MicroMsg”. The multimedia files can be of different types such as audio, pictures, gifs, videos, etc (Gao & Zhang, 2013). For each of the user a private encrypted folder is created using the MD5. Rooting the android device can give access permission for the “” directory and it can be used for getting digital evidence from the android device. The data can be extracted directly from the rooted android device and exported using the Android Debug Bridge command (adb). The adb pull command is used for accessing the directory “/data/data/”. In case of the unrooted android devices the data cannot be accessed and using the adb pull command (Zhang, Yu & Ji, 2016). It requires new method and numerous test is required to be done on the device for getting the data. The version of the android is also dependent for getting the backup of data of the unrooted android devices. The unrooted backup method work on the weChat version 6.0 and the backup command is used for compressing the backup to a .tar.gz file and it can be used for getting the necessary data ythat can be used for the forensics. For the WeChat verison later than 6.0 it is required to be downgraded and the adb backup command is used for backing the user data (Choi, Park & Kim, 2017). There is an possibility of loss of data due to down grading the WeChat to the 6.0 version and thus necessary test is required to be done on the device. The directory “/sdcard/Tencent/MicroMsg” can be accessed directly and it does not require any root permission so it can be extracted using the adb pull command for avoiding the risk of loss of data.

Decrypting the messages database

The messages sent using the WeChat are encrypted for increasing the security and EnMicroMsg.db is used for the encryption of the message. The encryption is applied using the SQLCipher (Yuming, Junren & Kai, 2015). Thus a decryption code is required for decryption of the message and the decryption code can be used by analyzing the IMEI International Mobile Equipment Identity code of the android device. The unique Id of the WeChat user profile is as dec_key = Left7 (Md5 (IMEI + uni)), here the Left 7 is used for extracting the first 7 string of the Md5 value. The IMEI data is used and extracted from the configuration file “system_config_prefs.xml” and “CompatibilityInfo.cfg” (Chen & Wang, 2015). The encryption of the database is done using the SQLite where the database file is divided into small blocks of 4 kb and the cipher text of the files are computed using the AES algorithm. The decryption of the database is done by using the decryption key and converting the cipher text into plain text.

The unique Id is the main element used for the computation of the decryption key and in case of multiple WeChat account in a same android device the unique ID of the last user is kept in the system_config_prefs.xml file and the personal folder is required to be accessed and the unique ID is required to be computed from the name used in the personal folder (Chu, Wang & Deng, 2016). The folder is names as the name of the dir_name i.e. Md5 (mm + uni) and the value of the uni is 32 bit length and thus it can be searched for finding the value of the uni. More time is required for finding the value and it can be about 48 hours and pre computation of the names stored in the directory requires storage space of 100 gb and they are stored in the format of the balanced binary tree (Zhang, 2016). Scripts can be created in different language for making the decryption process easier and the files are given as input for getting the desired output from the file. There are different tools that can be used for finding the IMEI and the EnMicroMsg.db can be used as the input for decrypting the file and finding the pragam key.

Communication records

For performing a forensic analysis on the communication records of WeChat all conversation records are required to be accessed and their time and sender information is also required to be available to the analyst (Yanni & Junren, 2016). The chat in the WeChat application often contains images, multimedia informations, emojis, voice record and chat messages. The conversation records of te user is stored in the message table of the database created in EnMicroMsg.db. There are different storage scheme and for recording the message and different fields are created for storing different types of messages (Lee & Chung, 2015). The normal text conversations are stored in the database with a field labelled contents and for the multimedia contents such as audio, images and videos local storage is used. The multimedia files can be accessed directly by analyzing the encoded strings and for example if “isSend” is encoded as 1 the message was sent to the recipient by the sender or it was sent by the talker. The complete recovery of the chat message is important for understanding the whole scenario and better understand the meaning of the communication (Sun & Qin, 2014). The detailed process for recovering the multimedia file is to find the encoded string “THUMB_DIRPATH://th_dbb5e4622e87f85226c8da6893698fc0”. Let S1represent the header string “THUMB_DIRPATH://th_”. The pathof this image is computed as follows:

File_path = <uDir> + “/image2/” +substr(S1,2,3) + “/” + substr(S1,6,7) +”/th_” + S1,

Here, uDir = “/sdcard/Tencent/MicroMsg/<uDir>” and substr(S, start,end) is used for returning a string at the beginning of the start index and running at the end of the index.

For the audio files it can be fetched by calculating the Md5 value of the encoding string which is stored in the image path and for the video files it can be get directly in the video folder and .mp4 format is used for storage of the video files (Dai et al., 2017). Different methods are analyzed for retrieving the audio, video and the messages and it has been found that are are different forensic tools available that can be used for retrieval of the messages successfully with the timestamp. A data table can be created for analyzing the chat history and proceeding with the forensic analysis.


The moments in the WeChat are used by the users for sharing their life events and achieves with the friends and the contacts in the WeChat list. The user can share their moments with attaching multimedia files and the messages are stored in the database SnsMicroMsg.db (Shang, 2016). In the database two tables are created for storing the comments and the other information separately. The SnsInfo table is used for the Moment messages and it contains the text multimedia files such as images and videos and different links (Lien & Cao,2014). The SnsComment table is used for including the sharing message and comments associated with the post in the database. The major focus on the data is given on the username, cretedTime and the content. The field username is used for identification of the owner of the message and content is used for recording the data of sharing message that is stored as a BLOB (binary large object). The data residing in the content field is used for storing multiple data segments following the TLD structure (Azfar, Choo, & Liu, 2016). The first byte is used for identification of the type of the data content, the second byte is used for indication of the length of the data and the third part is used for storage of the data contents. The details of the format in the content field of the WeChat Moments can be analyzed using the BLOB data. The key elements used for the content field are depicted as msg Owner, msgResID, msgContent, msgImagePath2 and msgImagePath and they are stored in the TLD structure of the database (Zhou et al., 2015). The msgOwner contains the user who sents the text or message, msgResID contains the identity of the multimedia resources and it is 20 bytes in length, msgContent contains the text used in the moment message, msgImagePath2 contains the thumbnail or the path of the image and the msgImagePath2 is used for storing the image source URL of the image shared in the moments. For the extraction of the multimedia files from the WeChat server Moments are required to be explored and is required to be extracted from the cache memory of the device.

Conversion of Audio File Format:

The audio file format extension of the WeChat application is of “.aud” format which is modified format of the AMR and SILK-v3. These formats are standard audio file format. In order to encode and store audio file format, the earlier version of the application used AMR format. Therefore, through the usage of the FFmpeg package (it is a type of decoder that WeChat uses) through including “#!AMR” as the file header, the audio files (AMR and .aud format) is decoded and played.

Gao and Zhang (2013) has used the approach of investing an android application through volatile and non-volatile memory data acquisition and analysis. The application that the author investigated is Whatsapp which is also a application like WeChat for the android devices. The application uses SQLite database for storing the audio files. However, the location of the data and storage differentiate on the basis of device usage. Wu et al. (2017) has failed to state which database WeChat particularly uses for storing the audio files. Though the author has included the database that WeChat currently uses in its most recent version which are EnMicroMsg.db, SnsMicroMsg.db ad many more.

As opined by Gao and Zhang (2013), in the IPhone, the subfolders which are named as MD5 hash under the folder named “Audio” records the voice message. There is also a MesServerID folder that stores the name of the audio files such as the MD5 folder. This is the eminence free (RF) SILK wideband sound encoding design gave by Skype. Keeping in mind the end goal to unravel and play the voice message with basic mixed media players amid crime scene investigation, the encoding configuration of sound records must be changed over. A SILK_v3 sound document could be changed over to a PCM sound record utilizing the Opus voice coder11 with the testing rate set at 48 kHz. Since PCM sound is comparative toWAV sound, the PCM sound document can be decoded and played by regular sound players by including a WAV record header. The WeChat application on the IPhone device also uses the .aud format for the audio file extension.

From the above discussion it has been clear that the use of the audio files in the WeChat on android device is used effectively and efficiently. The name tag stored in the MesServerID folder is used for better search of the files from the database.


Through creating the above study, it has been understood that the digital forensic investigation is a critical and in-depth analysis of a digital application. An application that is installed in various mobile platforms such as windows, android and IPphoe, uses almost same kind of technology. However, the application may differ in internal functionalities due to the technicalities and features of the operating system. Forensic investigations can be done on the basis of the various factors such as memory, functions, features and many more. The internal functions of the applications of android vary due to the application efficiency mainly.

There are still various factors that the author could have included into the article such as investigation through the storage factors. This thing can be done through two ways. The first way is to investigating through memory type and another is storage locations.

The value that has been found through the study is that gathering data from various articles is an essential and valuable task. It is because, this allows to gather adequate amount of data and provides the opportunity to verify data gathered from the sources.


Azfar, A., Choo, K. K. R., & Liu, L. (2016, January). An android social app forensics adversary model. In System Sciences (HICSS), 2016 49th Hawaii International Conference on (pp. 5597-5606). IEEE.

Chen, L., & Wang, Y. Q. (2015). Forensic Analysis towards the user behavior of Sina microblog.

Choi, J., Park, J., & Kim, H. (2017, February). Forensic analysis of the backup database file in KakaoTalk messenger. In Big Data and Smart Computing (BigComp), 2017 IEEE International Conference on (pp. 156-161). IEEE.

Chu, H. C., Wang, G. G., & Deng, D. J. (2016). The social networking investigation of metadata of forensic artifacts of a typical WeChat session under Windows. Security and Communication Networks, 9(18), 5698-5709.

Dai, Z., Chua, T. W., Balakrishnan, D. K., & Thing, V. L. (2017). Chat-App Decryption Key Extraction Through Information Flow Analysis.

Gao, F., & Zhang, Y. (2013). Analysis of WeChat on iPhone. In 2nd International Symposium on Computer, Communication, Control, and Automation (3CA) (pp. 278-281).

Gao, F., & Zhang, Y. (2013). Analysis of WeChat on iPhone. In 2nd International Symposium on Computer, Communication, Control, and Automation (3CA) (pp. 278-281).

Gao, F., & Zhang, Y. (2013, December). Analysis of WeChat on iPhone. In 2nd International Symposium on Computer, Communication, Control, and Automation (3CA) (pp. 278-281).

Lee, C., & Chung, M. (2015). Digital Forensic Analysis on Window8 Style UI Instant Messenger Applications. In Computer Science and its Applications (pp. 1037-1042). Springer, Berlin, Heidelberg.

Lien, C. H., & Cao, Y. (2014). Examining WeChat users’ motivations, trust, attitudes, and positive word-of-mouth: Evidence from China. Computers in Human Behavior, 41, 104-111.

Shang, W. (2016). Construction and Application of WeChat Learning Platform in" Folk Literature" Teaching. International Journal of Emerging Technologies in Learning, 11(5).

Sun, W., & Qin, X. (2014, October). End-to-end delay analysis of wechat video call service in live dc-hspa+ network. In Wireless Communications and Signal Processing (WCSP), 2014 Sixth International Conference on (pp. 1-5). IEEE.

Wu, S., Zhang, Y., Wang, X., Xiong, X., & Du, L. (2017). Forensic analysis of WeChat on Android smartphones. Digital Investigation, 21, 3-10.

Wu, S., Zhang, Y., Wang, X., Xiong, X., & Du, L. (2017). Forensic analysis of WeChat on Android smartphones. Digital Investigation, 21, 3-10.

Yanni, Y., & Junren, M. (2016). The Survey and Analysis about the Construction of Mobile Micro-Service of Academic Library. Library Work and Study, 11, 014.

Yuming, Z., Junren, M., & Kai, G. (2015). An Analysis of Application and Current Situation of We Chat about the Project 211 University Libraries. Research on Library Science, 15, 004.

Zhang, L., Yu, F., & Ji, Q. (2016, July). The Forensic Analysis of WeChat Message. In Instrumentation & Measurement, Computer, Communication and Control (IMCCC), 2016 Sixth International Conference on (pp. 500-503). IEEE.

Zhang, M. (2016). A rhetorical analysis of Chinese WeChat messages among midlife adults. China Media Research, 12(3), 7-17.

Zhou, F., Yang, Y., Ding, Z., & Sun, G. (2015, June). Dump and analysis of android volatile memory on wechat. In Communications (ICC), 2015 IEEE International Conference on (pp. 7151-7156). IEEE.

How to cite this essay: