Skip to main content

Overview

IPED provides comprehensive parsers for popular messaging applications, extracting messages, contacts, media attachments, and communication metadata. These parsers handle both Android and iOS artifacts, including encrypted databases and backup files.

WhatsApp Parser

The WhatsApp parser processes SQLite databases from Android and iOS devices, extracting complete chat histories with media linking.

Supported Artifacts

msgstore.db.crypt*
Android Database
Main message database (supports crypt1-crypt15 encryption)
wa.db
Android Database
Contacts and account information
ChatStorage.sqlite
iOS Database
iOS message database
ContactsV2.sqlite
iOS Database
iOS contacts database
com.whatsapp_preferences.xml
Android XML
Account configuration and user information

Extracted Metadata

WhatsApp Message Properties
ExtraProperties.USER_ACCOUNT          // Phone number with country code
ExtraProperties.USER_NAME             // Display name
ExtraProperties.USER_PHONE            // International format (+55...)
ExtraProperties.MESSAGE_DATE          // Timestamp
ExtraProperties.MESSAGE_BODY          // Text content
ExtraProperties.PARTICIPANTS          // Chat participants
ExtraProperties.IS_GROUP_MESSAGE      // Group chat indicator
ExtraProperties.GROUP_ID              // Format: [email protected]
ExtraProperties.LINKED_ITEMS          // SHA-256 hash queries for media
ExtraProperties.SHARED_HASHES         // Hashes of sent media

Features

Backup Merging

Automatically merges multiple backup databases to recover deleted messages

Media Linking

Links messages to media files using SHA-256 hashes with fallback strategies

Deleted Recovery

Scans SQLite free pages to recover deleted messages and chats

Status Messages

Extracts and expands broadcast status messages per contact

Configuration Options

WhatsAppParser Configuration
@Field
public void setExtractMessages(boolean extractMessages);
// Extract individual message items (default: true)

@Field
public void setMergeBackups(boolean mergeBackups);
// Merge msgstore backup databases (default: false)

@Field
public void setRecoverDeletedRecords(boolean recoverDeletedRecords);
// Scan free pages for deleted data (default: true)

@Field
public void setMinChatSplitSize(int minChatSplitSize);
// Split large chats into fragments (default: 6000000 bytes)

@Field
public void setLinkMediasByNameAndApproxSizeFallback(boolean enable);
// Use filename matching as fallback (default: true)

Message Types

  • TEXT_MESSAGE: Plain text messages
  • IMAGE_MESSAGE: Photos and images
  • VIDEO_MESSAGE: Video files
  • AUDIO_MESSAGE: Voice messages and audio
  • DOCUMENT_MESSAGE: PDF, Office, and other documents
  • LOCATION_MESSAGE: GPS coordinates
  • SHARE_LOCATION_MESSAGE: Live location sharing
  • CONTACT_MESSAGE: vCard contacts
  • STICKER_MESSAGE: Sticker attachments
  • CALL_MESSAGE: Voice and video calls
  • DELETED_MESSAGE: Deleted by sender
  • SYSTEM_MESSAGE: Group notifications and events

Media Linking Strategy

Media Linking Process
1. SHA-256 Hash Matching (Primary)
   - Extracts media_hash from message database
   - Searches case items: hash:"sha-256" = <media_hash>

2. Filename + Size Fallback
   - Matches filename and approximate file size
   - Used when hash not available

3. Long Path Fallback
   - Searches by full WhatsApp media path
   - Configurable via linkMediasByLongPathFallback

Telegram Parser

Processes Telegram databases from Android and iOS with support for channels, groups, and secret chats.

Supported Artifacts

cache4.db
Android Database
Main Telegram message database
userconfing.xml
Android XML
User account configuration (base64-encoded)
*.sqlite
iOS Database
iOS Telegram databases

Extracted Metadata

Telegram Message Properties
ExtraProperties.USER_ACCOUNT          // Username
ExtraProperties.USER_NAME             // Full name
ExtraProperties.USER_PHONE            // Phone number
ExtraProperties.MESSAGE_DATE          // Message timestamp
ExtraProperties.MESSAGE_BODY          // Text content
ExtraProperties.LOCATIONS             // GPS coordinates (lat;lon)
ExtraProperties.IS_GROUP_MESSAGE      // Group/channel indicator
ExtraProperties.LINKED_ITEMS          // Media hash queries

Chat Types

One-on-one conversations between users
Multi-user group conversations with members list
Broadcast channels with subscriber information
End-to-end encrypted conversations (when available)

Configuration

TelegramParser Configuration
@Field
public void setExtractMessages(boolean extractMessages);
// Extract individual messages (default: true)

@Field
public void setMinChatSplitSize(int minChatSplitSize);
// Chat fragmentation threshold (default: 6000000)

@Field
public void setEnabledForUfdr(boolean enable);
// Enable for UFDR extractions (default: false)

Skype Parser

Extracts conversations, contacts, file transfers, and call logs from Skype main.db files.

Supported Artifacts

main.db
SQLite Database
Skype conversation and contact database (versions 7 and 12)

Extracted Data

Skype Conversation Metadata
TikaCoreProperties.CREATED          // Chat creation date
TikaCoreProperties.MODIFIED         // Last activity
ExtraProperties.ITEM_VIRTUAL_ID     // Conversation ID
ExtraProperties.PARTICIPANTS        // Participant list
ExtraProperties.LINKED_ITEMS        // Attachment hashes
ExtraProperties.SHARED_HASHES       // Sent file hashes

Configuration

SkypeParser Configuration
@Field
public void setExtractMessages(boolean extractMessages);
// Extract individual messages (default: true)

Discord Parser

Processes Discord Local Storage databases extracting messages from cached channels.

Supported Artifacts

*.ldb
LevelDB Files
Discord Local Storage cache files
Discord parser extracts cached messages from Local Storage. Complete history requires data acquisition during active sessions.

Threema Parser

Extracts messages from Threema SQLite databases.

Supported Artifacts

threema*.db
SQLite Database
Threema message and contact databases

UFDR Chat Parser

Processes chats extracted by Cellebrite UFDR (Universal Forensic Data Reader) from various applications.

Supported Applications

WhatsApp

UFDR WhatsApp extractions

Telegram

UFDR Telegram extractions

Facebook

Facebook Messenger

Signal

Signal messages

Snapchat

Snapchat conversations

Instagram

Instagram DMs

Viber

Viber messages

TikTok

TikTok chats

Discord

Discord messages

Configuration

UfedChatParser Configuration
@Field
public void setExtractMessages(boolean extractMessages);
// Extract individual messages (default: true)

@Field
public void setExtractActivityLogs(boolean extractActivityLogs);
// Extract activity log events (default: true)

@Field
public void setIgnoreEmptyChats(boolean ignoreEmptyChats);
// Skip chats with no user messages (default: false)

@Field
public void setMinChatSplitSize(int minChatSplitSize);
// Chat fragmentation size (default: 6000000)

Common Features

Child Porn Hash Detection

All chat parsers integrate with hash databases:
Hash Detection
List<String> hashSets = ChildPornHashLookup.lookupHash(mediaHash);
if (!hashSets.isEmpty()) {
    metadata.set(ExtraProperties.HASHDB_STATUS, "pedo");
    for (String set : hashSets) {
        metadata.add(ExtraProperties.HASHDB_SET, set);
    }
}
IPED includes PhotoDNA support for law enforcement agencies. Contact the IPED team for access.

Avatar Extraction

Profile pictures are extracted and stored as base64: 
if (account.getAvatar() != null) {
    metadata.set(ExtraProperties.THUMBNAIL_BASE64, 
                Base64.getEncoder().encodeToString(account.getAvatar()));
}

Location Data

GPS coordinates are standardized: 
if (message.getLatitude() != null && message.getLongitude() != null) {
    metadata.set(ExtraProperties.LOCATIONS, 
                message.getLatitude() + ";" + message.getLongitude());
}

HTML Report Structure

Chat reports include:
  • Chat header: Participants, group info, creation date
  • Message table: Chronological message list with timestamps
  • Media thumbnails: Inline previews when available
  • System messages: Group events, security notifications
  • Contact cards: vCard information rendering
  • Location maps: GPS coordinate visualization

Best Practices

1

Enable SHA-256 Hashing

Set IsSha256Enabled=true to enable media linking via hash matching
2

Configure Hash Task

Enable IsHashTaskEnabled=true for attachment correlation
3

Consider Backup Merging

Enable mergeBackups for WhatsApp when multiple backup files exist
4

Monitor Memory Usage

Large merged databases can require significant memory resources

Next Steps

Browser Parsers

Learn about web browser artifact extraction

P2P Parsers

Explore peer-to-peer application parsers

Build docs developers (and LLMs) love

Get started for freeTalk to us