{"id":13341772,"url":"https://github.com/MrOctopus/pyWhatsUpp","last_synced_at":"2025-03-11T22:31:33.382Z","repository":{"id":45848676,"uuid":"416062796","full_name":"MrOctopus/pyWhatsUpp","owner":"MrOctopus","description":"A forensic tool to automatically extract as many artifacts as possible from the WhatsApp desktop/web client","archived":false,"fork":false,"pushed_at":"2022-01-12T04:21:39.000Z","size":126,"stargazers_count":15,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-24T10:07:27.903Z","etag":null,"topics":["desktop","forensic","forensics-tools","whatsapp"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MrOctopus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-10-11T19:39:16.000Z","updated_at":"2024-10-12T14:05:50.000Z","dependencies_parsed_at":"2022-08-06T03:01:18.111Z","dependency_job_id":null,"html_url":"https://github.com/MrOctopus/pyWhatsUpp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrOctopus%2FpyWhatsUpp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrOctopus%2FpyWhatsUpp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrOctopus%2FpyWhatsUpp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrOctopus%2FpyWhatsUpp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MrOctopus","download_url":"https://codeload.github.com/MrOctopus/pyWhatsUpp/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243125202,"owners_count":20240263,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["desktop","forensic","forensics-tools","whatsapp"],"created_at":"2024-07-29T19:26:32.464Z","updated_at":"2025-03-11T22:31:32.787Z","avatar_url":"https://github.com/MrOctopus.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pyWhatsUpp\n\nA forensic tool to automatically collect and extract as many artifacts as possible from the WhatsApp desktop/web client.\n\n## Requirements\n\n* Python 3.6+\n\n## Features\n\n### Collection\n\n* Automatic\n    - From an automatically determined WhatsApp drive and OS (Useful for collection on the same device)\n    - From a user defined root directory/drive and OS (Useful for mounted drives)\n* Manual\n    - From a user defined WhatsApp data directory (Useful for unusual(?) WhatsApp locations)\n\n### Extraction\n\n* Cached contact avatars\n* General logs\n* Processing logs\n* Event logs\n* WhatsApp username\n\n### Interpretation\n\n* pyWhatsUpp will try to enrich event logs with explanations and interpretations\n\n### Hashing\n\n* pyWhatsUpp supports outputting a list of all collected file hashes\n\n## Support\n\nAlthough pyWhatsUpp can be run on every platform that supports python,\ncollection can only be performed on data/mounts deriven from supported OSes.\n\n### OS\n\n* Windows (Win7-Win11)\n* MacOS\n\nNot supported:\n\n* Linux\n\n### Client\n\n* WhatsApp desktop for Windows\n* WhatsApp desktop for Mac\n* Firefox browser\n* Microsoft edge browser\n* Chrome browser\n* Opera browser\n\nNot supported:\n\n* Safari Browser\n\n## Usage\n\n```\nRun pyWhatsUpp in-place with automatic collection:\npython run.py\n\nRun pyWhatsUpp with strict interpretation (only output valid interpretations):\npython run.py -si\n\nShow verbose logs and generate sha256 hashes:\npython run.py -v -ha\n\nRun pyWhatsUpp on a specific WhatsApp folder\npython run.py -i folderpath\n\nRun pyWhatsUpp on a mounted windows installation drive and perform automatic collection:\npython run.py -a -os Windows -i mountedrootpath\n```\n### Notes\n\nWhilst pyWhatsUpp attempts to preserve the file metadata of collected artifacts the best it can, a separate forensics image should also be made to ensure that the original file metadata can be compared against. Noteably, the python library that pyWhatsUpp uses to copy metadata (shutil) is not reliable enough to ensure the integrity of Accessed and Created timestamps.\n\n## Thanks to\n\n* Ntninja for [mozidb](https://gitlab.com/ntninja/moz-idb-edit/-/tree/master)\n* cclgroupltd for [ccl_chrome_indexeddb](https://github.com/cclgroupltd/ccl_chrome_indexeddb)\n\n## Resources for further reading\n\n* Firefox IndexDB proprietary format formatting: https://stackoverflow.com/questions/54920939/parsing-fb-puritys-firefox-idb-indexed-database-api-object-data-blob-from-lin\n\n* Interpreting WhatsApp event logs: https://www.semanticscholar.org/paper/Browser-Forensic-Investigations-of-WhatsApp-Web-Paligu-Varol/0054508526255eff5c15de5ab3194591e842d731\n\n* General WhatsApp web/desktop data explanation: https://github.com/Enrico204/whatsapp-decoding/blob/master/PROTOCOL.md\n\n* General WhatsApp forensics know-how: https://blog.group-ib.com/whatsapp_forensic_artifacts","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMrOctopus%2FpyWhatsUpp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMrOctopus%2FpyWhatsUpp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMrOctopus%2FpyWhatsUpp/lists"}