Merge pull request #887 from SolitudePy/master

Updated WhatsApp.tkape, .gitignore, Created WhatsApp_Media.tkape
EricZimmerman · Dec 1, 2023 · d366c90 · d366c90
2 parents 7c3eef5 + 69b5eb0
commit d366c90
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ gkape.exe
 *.cli
 .DS_Store
 *.swp
+*ConsoleLog.txt
diff --git a/Targets/Apps/WhatsApp.tkape b/Targets/Apps/WhatsApp.tkape
@@ -1,6 +1,6 @@
 Description: WhatsApp Local Files
-Author: Matt Dawson
-Version: 1.0
+Author: Matt Dawson, SolitudePy
+Version: 1.1
 Id: a6f739e3-21fc-4942-9272-26d567f014da
 RecreateDirectories: true
 Targets:
@@ -14,6 +14,17 @@ Targets:
         Category: Apps
         Path: C:\Users\%user%\AppData\Roaming\WhatsApp\Local Storage\leveldb
         Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
+    -
+        Name: Microsoft Store WhatsApp Cache
+        Category: Apps
+        Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache
+        Comment: "Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files"
+    -
+        Name: Microsoft Store WhatsApp Local Storage
+        Category: Apps
+        Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb
+        Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper"
+
 
 # Documentation
 # https://belkasoft.com/whatsapp_forensics_on_computers

diff --git a/Targets/Apps/WhatsApp_Media.tkape b/Targets/Apps/WhatsApp_Media.tkape
@@ -0,0 +1,22 @@
+Description: WhatsApp Shared Media Files
+Author: SolitudePy
+Version: 1.0
+Id: b148236d-1064-42c4-bbb2-f08ad7aa8530
+RecreateDirectories: true
+Targets:
+    -
+        Name: Microsoft Store WhatsApp Desktop Profile Pictures
+        Category: Apps
+        Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures
+        Comment: "Copies the local store of contacts profile pictures, simply open with a photos software"
+    -
+        Name: Microsoft Store WhatsApp Shared Media
+        Category: Apps
+        Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers
+        Recursive: true
+        FileMask: regex:.*\.(jpg|mp4|pdf|webp)
+        Comment: "Copies the shared media, can get very large."
+
+
+# Documentation
+# Whatsapp Desktop saves shared media locally, simply open it with a media software.
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,4 @@ gkape.exe @@
     *.cli
     .DS_Store
     *.swp
+    *ConsoleLog.txt