Digital investigations often rely on examining logs, and when it comes to WhatsApp, the logs can be a treasure trove of information. In this article, we'll dive into the world of WhatsApp unified logs to uncover the records created when a user types a message in the application. These logs offer a valuable tool for digital investigators to confirm that a user truly typed their message by pressing the keys on their phone's keyboard, rather than using some other method.
Such insights can be crucial in various investigative scenarios, such as determining if a driver was using their phone during a car accident. Throughout this article, we'll explore how the mediaserverd process records every keypress on the keyboard, helping us reconstruct user actions with precision. This article is a deep dive into the digital forensics of WhatsApp, showing you the detailed digital trail that users leave behind as they use the app.
WhatsApp - Unified Logs
Before the user is able to send a message on the WhatsApp application, they will need to unlock their phone. This has been discussed in this article https://www.ios-unifiedlogs.com/post/why-should-you-investigate-ios-unified-logs , and I can only recommend that you familiarize yourself with it before proceeding with this one.
When a user wishes to access the WhatsApp application, one of the most commonly used methods is simply clicking on the icon that we all recognize from the home screen. This action generates a plethora of logs that can assist digital investigators in meticulously proving this action. Here are, in my opinion, the key ones:
Timestamp | Event |
2023-10-29 17:48:23 | SpringBoard: Icon tapped: <private> |
2023-10-29 17:48:23 | SpringBoard: Initiating launch from icon view: <private> |
2023-10-29 17:48:23 | SpringBoard: Bootstrapping application<net.whatsapp.WhatsApp> with intent foreground-interactive |
2023-10-29 17:48:23 | WhatsApp: Initializing connection |
2023-10-29 17:48:24 | SpringBoard: sceneID:net.whatsapp.WhatsApp-default] Scene lifecycle state did change: Foreground |
The first two logs in the table above, recorded by the SpringBoard process, are registered when the user taps on an application icon from the home screen. As you can see, the process doesn't specify the application, indicated by the "private" tag (in previous versions of iOS, this data wasn't hidden). Therefore, it is necessary to combine this with other logs. The third and fourth logs are only recorded when the application was not running in the background before its launch! You won't find them every time, and it's important to keep that in mind. Finally, the fifth log records that the WhatsApp application is now in the "foreground" state. This demonstrates that the application has been opened, and the user can now use it.
By combining several logs, it is readily demonstrable that an application has been launched by tapping its icon. For instance, the first two logs are not recorded when the user asks Siri to open the WhatsApp application, but this will be discussed in more detail in another article.
Once the user has entered the application, several different options are available to them. The first one that comes to mind is the ability to compose a message. Thanks to the mediaserverd process, which is not well-documented, it becomes possible to precisely reconstruct all the actions performed by the user!
Typing/Deleting a character and sending a message
When the user types a character on their keyboard, the mediaserverd process records the following log:
Timestamp | Event |
2023-10-29 17:48:29 | mediaserverd : Incoming Request : actionID 1104, inClientPID 21923(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 5 |
2023-10-29 17:48:29 | mediaserverd : Incoming Request : actionID 1104, inClientPID 21923(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 6 |
2023-10-29 17:48:29 | mediaserverd : Incoming Request : actionID 1104, inClientPID 21923(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 7 |
Every time the user presses a character on the keyboard, this log is recorded! The ActionID recorded by the mediaserverd process is crucial because it allows you to precisely reconstruct the user's actions. In this case, pressing a character generates ActionID 1104 for the mediaserverd process.
For example, if the user wants to type the word "Hello," it would require 5 characters, and as a result, this log will be recorded 5 times. It's also important to note that the mediaserverd process specifies the application in which the character was pressed. In the example above, it was WhatsApp (inClientPID), but an equivalent log is recorded for all other applications, whether they are native or third-party. Finally, the last number you can observe, "InClientCompletionToken," is a "global" counter.
There is one particularly important thing to remember: ActionID 1104 is recorded ONLY when a character is pressed. If the user presses the Shift key, the "123" key at the bottom left, or the "World" key to change the keyboard language, no character is added to the message the user is typing on their phone. ActionID 1104 will not be recorded in these cases. Instead, it's ActionID 1156 that will be registered.
In your opinion, what about the "Space" key? What ActionID does it generate?
-> The space key generates ActionID 1156 and not ActionID 1104 !
Timestamp | Event |
2023-10-29 17:48:30 | mediaserverd: Incoming Request : actionID 1156, inClientPID 2393(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 8 |
When the user types on the keyboard to compose a message, it's not uncommon for small errors to slip in. As a result, the user will need to erase the mistyped character, which generates a different log from those we've seen so far. Indeed, when a character is deleted, ActionID 1155 is recorded this time. Just like the previously discussed ActionID 1104, this log is recorded every time the user presses the "Delete" key. So, if the user presses it three times to delete three characters, three logs containing ActionID 1155 will be recorded.
Timestamp | Event |
2023-10-29 17:48:30 | mediaserverd: Incoming Request : actionID 1155, inClientPID 2393(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 9 |
Based on ActionIDs 1104, 1156, and 1155, it's already quite straightforward to establish that the user was typing on the keys of their phone's keyboard. This information can be crucial in certain investigations! Indeed, creating a WhatsApp message using Siri, the Dictaphone feature or the record of a vocal message won't generate these specific logs, and we'll discuss this in a future article.
Finally, after fully composing the message, it must be sent, thus generating a new ActionID unique to this action: ActionID 4097.
Timestamp | Event |
2023-10-29 17:48:31 | mediaserverd: Incoming Request : actionID 4097, inClientPID 2393(WhatsApp), inBehavior 0, customVibeDataProvided 0, loop 0, loopPeriod 0.000000, inFlags 0, inClientCompletionToken 10 |
Here is a brief summary table of the various ActionIDs we've discussed so far:
ActionID Number | User Action |
1104 | Typing a character on the keyboard. |
1155 | Deleting a character. |
1156 | Pressing a key on the keyboard that does not add a character to the message. |
4097 | Sending the message. |
During a long message that requires pressing many different keys on the keyboard, don't be surprised to see numerous logs recorded by the mediaserverd process, each mentioning an ActionID number. This is perfectly normal and simply indicates that the user has indeed pressed the keys on their phone's keyboard to compose their message! This can only be beneficial to your digital investigation.
Conclusion
In the field of digital investigations, WhatsApp Unified Logs are a goldmine of information. These logs help us confirm that users indeed typed their messages using their device's keyboard, and they reveal some key insights.
When users tap the WhatsApp icon to access the app, they leave behind significant traces, already indicating that the phone's screen was used to launch the application. We later discovered that the mediaserverd process keeps a record of every key press, giving each a unique code (like ActionID 1104) for every character typed. These numerical codes also help us to differientate character presses from other keyboard actions, like using the Shift key or changing language (AcionID 1156). Errors, such as deleting characters, are also recorded with their own code (ActionID 1155).
When users use Siri or Dictaphone to "write" a message, different logs are created and we'll explore this in a future article. Finally, when a message is ready and sent, a new code (ActionID 4097) is made. This detailed analysis gives digital investigators the power to precisely understand what users did, which is incredibly useful in various types of investigations, like road traffic accidents. These insights help us understand how users use the WhatsApp app and can be very helpful in figuring out what really happened.
Enjoy your Digital Investigations !
Lionel Notari