Unveiling Of Cyber Crime Evidence With WeChat Forensics Analysis

Mariah | October 23rd, 2015 | Forensics

WeChat is a text and voice messaging service developed in China. The application can be used both on smartphones such as Android, iPhone, Windows Phone, BlackBerry as well as on web-based operating systems like Windows and OS X. For the operating systems, however, WeChat needs to be installed on a supporting mobile for the authentication purposes. In addition to this, they also do not possess message roaming and moments.

With the availability of WeChat on both mobile phones and operating systems, the count of cybercrimes committed through it has substantially increased. Therefore, this requires a potential WeChat forensics approach for extraction of messages in order to prove the culprit guilty in the lawsuit. The following sections deal with the extraction and storage of WeChat messages from its default storage database.

WeChat Analysis – Where Are WeChat Messages Stored?

WeChat does not make use of a database directory. On the contrary, MicroMag serves to be its equivalent. The directory present in the MicroMag contains the EnMicroMsg.db database. This file stores all the chat messages of WeChat. However, this database is encrypted by using SQLCipher. It is an open source extension that is used for encrypting the entire database with 256-bit AES encryption. Nevertheless, the positive aspect about this encryption is that, the key for decrypting the file is present on the device itself.

WeChat Analysis

During WeChat forensics, there are four different parameters, which are used to encrypt and decrypt the data stored in EnMicroMsg.db. These are:

  • PRAGMA key: KEY

This parameter is used for setting the key that needs to be use with the database.

  • PRAGMA cipher_use_hmac: off

This disables the use of per-page HMAC checks for compatibility with SQLCipher 1.1.

  • PRAGMA cipher_page_size: 1024

This is used for changing the default size of the page to improve performance.

  • PRAGMA kdf_iter: 4000

This parameter changes the count of iterations that are used with PBKDF2 key derivation.

Manual Decryption Of EnMicroMsg.db Under WeChat Forensics

In WeChat analysis to decrypt the EnMicroMsg.db file, the KEY plays the most important role. It is generated from the MD5 Hash value that is a combination of IMEI and UIN. Only the first 7 characters of the value generated by the MD5 hash is used as a KEY.

IMEI (International Mobile Identification Number) is the unique 15-digits number, which is written at the back of the mobile. You can also enter *#06# to see the IMEI number.

UIN (Unique Identifier) is the number that can be found from the WeChat application folder in the file system_cnfig_prefs.xml.

The formula for generating the KEY with UIN and IMEI number is

location

For example:

IMEI=357894356722095

UIN=-3398231209

KEY= MD5(357894356722095-3398231209)

The MD5 hash value is cbfd3bcdb9d7606e885d667a78a9077f

KEY=cbfd3bc

Therefore, the KEY to decrypt EnMicroMsg.db is cbfd3bc

Python Script To Decrypt EnMicroMsg.db File

While carrying out WeChat forensics to decrypt the EnMicroMsg.db file, the investigators can also make use of Python script. In addition to this; in WeChat analysis, you need to install pysqlcipher so as to use SQLCipher function.

The Python script that has to be used is named as fmd_wechatdecipher.py. Two input files and one input from the user’s end are needed to run this script. They are:

  • db– This is the main file that contains the WeChat messages.
  • xml– This file contains the UIN number.

The input that the user needs to enter is IMEI of the mobile.

The output files, which are generated after the script is run, are:

  • EnMicroMsg-decrypted.db– This is the decrypted file that will contain all the WeChat messages.
  • EnMicroMsg-decrypted.log– this is the log file which will contain all the information like UIN, IMEI and the KEY. In addition to this, it also contains MD5 and SHA1 values of EnMicroMsg-decrypted.db

For running the script, put all the input folders in the same folder in which the Python script is saved. When it is prompted to enter the IMEI number, enter the IMEI number and you will be given the KEY and the EnMicroMsg.db file will be decrypted automatically.

All the messages from the EnMicroMsg-decrypted.db file can be extracted with the help of a Sqlite Database Browser.

In this blog, we have mainly focused on the extraction and forensic analysis of WeChat messages. The file, which is of main concern in WeChat forensics, is EnMicroMsg.db. The examiners can chose either the manual process or the Python Script to decrypt the file and extract the data from it.