SYSTEM
WA FORENSICS :: OFFLINE WHATSAPP EVIDENCE INVENTORY :: CHAT EXPORT ANALYSIS :: SHA-256 HASHING :: CYBER REPORTING UI ::
TRACE
EVIDENCE_MODE: READ_ONLY HASH_PIPELINE: SHA-256

WHATSAPP FORENSIC WORKFLOW.

Use this page as the operating checklist for Android WhatsApp evidence: copy the folder, inventory files, analyze exported chats, and preserve hashes.

START CHECKLIST REQUEST HELP
CASE_METRICS
EXPECTED OUTPUTS
// INVENTORY
CSV
FILE LIST + HASHES
// MESSAGES
JSON
PARSED CHAT DATA
// ATTACHMENTS
SHA
MEDIA VERIFICATION
// REPORT
HTML
BROWSER VIEW
INVESTIGATION_FLOW
ANDROID WHATSAPP FOLDER
StepActionWhy It Matters
01Copy the WhatsApp folder from Android to a working evidence folder.Preserves the source and avoids editing the phone copy during analysis.
02Run the `inventory` command on the copied folder.Creates a defensible file list with modified times, sizes, categories, and SHA-256 hashes.
03If `_chat.txt` exists, run the `analyze` command with the same folder as `--media-dir`.Links messages with referenced media and includes attachment hashes.
04Open the generated `report.html` and archive all output files.Keeps the report, raw parsed data, and inventory together for review.

Encrypted `msgstore.db.crypt*` files can be listed and hashed, but this project does not decrypt them or bypass WhatsApp account/device protection.

COMMAND_CONSOLE
POWERSHELL
INVENTORY COMMAND

python -m waforensics.cli inventory --source-dir "WhatsApp" --output-dir out-inventory --case-id CASE-001

ANALYZE COMMAND

python -m waforensics.cli analyze --chat "WhatsApp\_chat.txt" --media-dir "WhatsApp" --output-dir out --timezone Asia/Kolkata