Dig out WeChat deleted chat messages on Android Phone

As we know that WeChat will wipe deleted chat messages. That's why forensic guys could  not dig out any deleted chat messages in EnMicroMsg.db. Is it possible to let those deleted chat messages show up again?

 

For performance's sake, WeChat will created index for better user experience. That's the key point for forensic guys to recover those deleted chat messages or contacts. Let me show you where the index exists as below.

 

 

Look into the table "FTS5IndexMessage_content"  and "FTK5IndexContact_content" and we could find all chat messages and contacts. No doubt those deleted chat messages or contacts still exist in these tables. Suspect may delete chat messages but no way he/she could delete index database.

 

Of course suspect may uninstall WeChat and its folder "com.tencent.mm" will no longer exists. But forensic guys could still recover content of WeChat by deep recovery on image acquired from an Android phone.

Those manufacturers of Mobile Forensic software should take it into consideration and their tools won't miss the deleted WeChat chat messages again.