FRT Global Solutions

Direct service

WA Forensic

Read-only mobile forensic analysis for legally acquired iOS backups, WhatsApp databases, deleted-message traces, reports, and chain of custody.

The challenge

WhatsApp evidence is rarely clean. Investigators may receive an iOS backup, a set of SQLite databases, exported chats, media references, or partial artefacts from a prior acquisition. Deleted messages, emptied chats and revoked-message records can remain in residual database structures, but they must be handled carefully: overclaiming is as dangerous as missing the evidence.

Our approach

WA Forensic is designed as a read-only analysis workflow for authorised forensic work. It examines WhatsApp databases and related iOS artefacts, extracts structured evidence, attempts best-effort recovery from SQLite WAL, freelist and free-block areas, and records provenance with hashes, offsets, confidence levels and a hash-linked chain of custody. The platform does not bypass end-to-end encryption, brute-force credentials, or access devices without authorisation.

Mobile evidence

Deleted-message recovery, without overclaiming.

WA Forensic separates evidence, probability and technical impossibility so that findings remain useful in sensitive investigations.

The system looks for recoverable evidence where forensic remnants realistically survive: live database records, revoked-message metadata, WAL frames, SQLite freelist pages, free blocks and cross-source iOS artefacts.

Every candidate fragment is recorded with source metadata and a normalised hash, so reviewers can trace where it came from and distinguish a strong finding from a partial or unattributable fragment.

The reporting model is deliberately conservative. When encryption, overwritten pages or missing keys make recovery infeasible, the limitation is documented rather than hidden.

Forensic capabilities

  • Read-only analysis of acquired evidence
  • WhatsApp SQLite and WAL inspection
  • Deleted-fragment carving
  • Revoked-message and emptied-session extraction
  • Cross-source timeline support
  • Confidence scoring and deduplication
  • Hash-linked chain of custody
  • JSON, CSV and summary reporting

Typical use cases

  • Internal investigations involving authorised mobile evidence
  • Litigation support and preliminary expert review
  • Private forensic triage before formal laboratory escalation
  • Audit-ready documentation of methods, artefacts, hashes and limits

What's included

What's included

  • Analysis of ChatStorage.sqlite, ChatStorage.sqlite-wal, ExtChatDatabase.sqlite, LID.sqlite, CallHistory.sqlite and related iOS artefacts
  • Extraction of revoked-message records, emptied chat sessions, contact identifiers, media references, timestamps and metadata
  • Best-effort carving of readable deleted-message fragments from SQLite freelist pages, free blocks, WAL frames and residual tail data
  • Candidate classification with confidence score, source type, source page, byte offset, byte length and SHA-256 hash
  • JSON, CSV and investigator-readable reports for review, disclosure and expert handover
  • Hash-linked chain-of-custody log for acquisition, processing, outputs and integrity verification

Engagement

Engagements begin with a scoping call to confirm authority, device or backup status, acquisition method, jurisdictional constraints and reporting expectations. FRT can analyse already acquired backups, help structure a defensible workflow, or prepare a triage report for escalation to a certified digital forensics laboratory when required.

Coverage

WA Forensic is intended only for lawful, authorised forensic work. Deleted content is recoverable only when readable remnants still exist in the backup, SQLite database, WAL, freelist, cache or supporting artefacts. Encrypted WhatsApp or Signal material cannot be reconstructed when the required keys are absent from the acquired evidence.

FAQ

Common questions.

Can WA Forensic recover deleted WhatsApp messages?
Sometimes. It can recover readable remnants that still exist in databases, WAL files, SQLite freelists, free blocks, caches or related artefacts. It cannot recover content that has been overwritten or was never present in the acquired material.
Does it bypass WhatsApp encryption?
No. WA Forensic does not break end-to-end encryption, brute-force credentials or reconstruct Signal ratchet keys that are not present in the evidence. This limitation is documented in the report.
What evidence sources are supported?
The workflow focuses on legally acquired iOS backups and WhatsApp-related databases such as ChatStorage.sqlite, ChatStorage.sqlite-wal, ExtChatDatabase.sqlite, LID.sqlite and CallHistory.sqlite.
Is the workflow suitable for legal or disciplinary use?
It is designed to support defensible review, but use in legal, HR or disciplinary contexts depends on jurisdiction, authority, privacy notices and acquisition method. FRT scopes those constraints before analysis.
What outputs are produced?
Outputs can include JSON, CSV, readable summaries, SHA-256 hashes, source offsets, confidence labels and a hash-linked chain-of-custody log.

Ready to discuss WA Forensic?

Send a confidential brief. We reply within one business day with a named coordinator.

Request a Confidential Consultation