From cb9b772cdced3160459e298cc025be63c5f32008 Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 15:40:59 +0200 Subject: [PATCH 1/6] Update Whatsapp.tkape - added locations for Microsoft Store Whatsapp --- Targets/Apps/WhatsApp.tkape | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Targets/Apps/WhatsApp.tkape b/Targets/Apps/WhatsApp.tkape index a1585f31b..f8a0271c6 100644 --- a/Targets/Apps/WhatsApp.tkape +++ b/Targets/Apps/WhatsApp.tkape @@ -14,6 +14,17 @@ Targets: Category: Apps Path: C:\Users\%user%\AppData\Roaming\WhatsApp\Local Storage\leveldb Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" + - + Name: Microsoft Store WhatsApp Cache + Category: Apps + Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalCache\Roaming\WhatsApp\Cache + Comment: "Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" + - + Name: Microsoft Store WhatsApp Local Storage + Category: Apps + Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalCache\Roaming\WhatsApp\Local Storage\leveldb + Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" + # Documentation # https://belkasoft.com/whatsapp_forensics_on_computers From c0472533b1d1e645878c48467a9f665572aa07bd Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 15:51:23 +0200 Subject: [PATCH 2/6] Added *ConsoleLog.txt to .gitignore(created when running kape.exe) --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 826d7da1b..cc52bfc37 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ gkape.exe *.cli .DS_Store *.swp +*ConsoleLog.txt From 3ffad92cdac0d92ee7938acc620317d2601d71f6 Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 15:51:45 +0200 Subject: [PATCH 3/6] Update WhatsApp.tkape metadata --- Targets/Apps/WhatsApp.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/Apps/WhatsApp.tkape b/Targets/Apps/WhatsApp.tkape index f8a0271c6..63db04fa8 100644 --- a/Targets/Apps/WhatsApp.tkape +++ b/Targets/Apps/WhatsApp.tkape @@ -1,6 +1,6 @@ Description: WhatsApp Local Files -Author: Matt Dawson -Version: 1.0 +Author: Matt Dawson, SolitudePy +Version: 1.1 Id: a6f739e3-21fc-4942-9272-26d567f014da RecreateDirectories: true Targets: From ae1af9f86641e0aaf5b7d76b2fed0403a38885da Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 16:37:18 +0200 Subject: [PATCH 4/6] Create WhatsApp_Media.tkape --- Targets/Apps/WhatsApp_Media.tkape | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 Targets/Apps/WhatsApp_Media.tkape diff --git a/Targets/Apps/WhatsApp_Media.tkape b/Targets/Apps/WhatsApp_Media.tkape new file mode 100644 index 000000000..c78e11a59 --- /dev/null +++ b/Targets/Apps/WhatsApp_Media.tkape @@ -0,0 +1,22 @@ +Description: WhatsApp Shared Media Files +Author: SolitudePy +Version: 1.0 +Id: b148236d-1064-42c4-bbb2-f08ad7aa8530 +RecreateDirectories: true +Targets: + - + Name: Microsoft Store WhatsApp Desktop Profile Pictures + Category: Apps + Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\profilePictures + Comment: "Copies the local store of contacts profile pictures, simply open with a photos software" + - + Name: Microsoft Store WhatsApp Shared Photos & Videos + Category: Apps + Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers + Recursive: true + FileMask: regex:.*\.(jpg|mp4|pdf|webp) + Comment: "Copies the shared photos, can get very large." + + +# Documentation +# Whatsapp Desktop saves shared media locally, simply open it with a media software. From e5b9e61e799c9bdf15eb6d1abc3754b0025b24b1 Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 16:55:11 +0200 Subject: [PATCH 5/6] Updated WhatsApp_Media.tkape comment --- Targets/Apps/WhatsApp_Media.tkape | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Targets/Apps/WhatsApp_Media.tkape b/Targets/Apps/WhatsApp_Media.tkape index c78e11a59..ac9e1681c 100644 --- a/Targets/Apps/WhatsApp_Media.tkape +++ b/Targets/Apps/WhatsApp_Media.tkape @@ -10,12 +10,12 @@ Targets: Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\profilePictures Comment: "Copies the local store of contacts profile pictures, simply open with a photos software" - - Name: Microsoft Store WhatsApp Shared Photos & Videos + Name: Microsoft Store WhatsApp Shared Media Category: Apps Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers Recursive: true FileMask: regex:.*\.(jpg|mp4|pdf|webp) - Comment: "Copies the shared photos, can get very large." + Comment: "Copies the shared media, can get very large." # Documentation From 69b5eb032fe36a1e3afa1dea0b22280ce9b51429 Mon Sep 17 00:00:00 2001 From: SolitudePy Date: Fri, 24 Nov 2023 20:56:58 +0200 Subject: [PATCH 6/6] Change to wildcards in whatsapp targets --- Targets/Apps/WhatsApp.tkape | 4 ++-- Targets/Apps/WhatsApp_Media.tkape | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Targets/Apps/WhatsApp.tkape b/Targets/Apps/WhatsApp.tkape index 63db04fa8..d16a876ec 100644 --- a/Targets/Apps/WhatsApp.tkape +++ b/Targets/Apps/WhatsApp.tkape @@ -17,12 +17,12 @@ Targets: - Name: Microsoft Store WhatsApp Cache Category: Apps - Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalCache\Roaming\WhatsApp\Cache + Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache Comment: "Copies the cache of WhatsApp. Can be opened with Chrome Cache Viewer for viewing embedded thumbnails and other image artefacts, as well as extracting .enc message files or other files" - Name: Microsoft Store WhatsApp Local Storage Category: Apps - Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalCache\Roaming\WhatsApp\Local Storage\leveldb + Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Local Storage\leveldb Comment: "Copies the Local Storage leveldb of WhatsApp. Contains phone model and name of user, plus encrypted base64 strings which can be viewed with LevelDBDumper" diff --git a/Targets/Apps/WhatsApp_Media.tkape b/Targets/Apps/WhatsApp_Media.tkape index ac9e1681c..3776bb602 100644 --- a/Targets/Apps/WhatsApp_Media.tkape +++ b/Targets/Apps/WhatsApp_Media.tkape @@ -7,12 +7,12 @@ Targets: - Name: Microsoft Store WhatsApp Desktop Profile Pictures Category: Apps - Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\profilePictures + Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\profilePictures Comment: "Copies the local store of contacts profile pictures, simply open with a photos software" - Name: Microsoft Store WhatsApp Shared Media Category: Apps - Path: C:\Users\%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers + Path: C:\Users\%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalState\shared\transfers Recursive: true FileMask: regex:.*\.(jpg|mp4|pdf|webp) Comment: "Copies the shared media, can get very large."