WhatsApp and the potential break in the chain of custody.

[paulobreim]

I have an interesting situation on WhatsApp.
After indexing several files, I did a search with text, and the result showed the screen below.

First, I don't know the difference between the green WhatsApp and the blue WhatsApp.
Focusing specifically on the 3 green WhatsApp files, there's a strange situation because the messages are identical: same size, date, time, second, Communication:From, Communication:Date, Message-Body, but in the Communication:To field of one of them, there's a different name.
Looking at the metadata in the Communication:Participants field, person A to person B, I have person B in all 3 files, but person A is the same in two of them, and in the third file, it's a different name.

Another interesting detail. The two that have the same participants originate from:
1 - xxx/TELEMATICA/Resposta Decisão Judicial/Apple/4 - Processamentos - IPED/iped/subitens/6/0/6026347E7CA3C26A99FDFFAE92801381.sqlite>>WhatsApp Chat - ~XXXXXX - 551199999994_1
2 - [email protected]_2023-07-18_Report.ufdr/iPhone de xxx (iPhone 7 Plus)/ChatStorage.sqlite>>WhatsApp Chat - ~XXXXXX - 551199999994_1

The third one appears to be a backup provided by Apple:
3 - xxx/TELEMATICA/Resposta Decisão Judicial/Apple/1 - Arquivos GPG/877272-BACKUP-10271244.zip>>1186890263/877272/[email protected]/backup/D_80358d2904967974121d0ef180b7ed4bcac8d7d7/S_CF797D59...

Anyway, I haven't seen it yet because there's this Apple one with different participants.

Any ideas?

paulo

[paulobreim]

I conducted further research and found other messages in the same situation.

From the data I gathered, the messages that came from a backup sent by Apple have a different sender.

The only possibility I see in this situation is that, after this backup, the user changed their name and phone number, so the new name would appear on the phone.

Is there a WhatsApp record of when the person changed their number to see if that makes sense?

When a person changes their name and phone number, do the old messages then show the new name, meaning the old name is not preserved?

For forensic purposes, this is a very relevant situation because lawyers claim that the data was tampered with and want to characterize a breach of chain of custody, so it's important to find an explanation.

[paulobreim]

@wladimirleite @lfcnassif Do you know why the senders of the message changed?

[wladimirleite]

Well, not sure if I fully understand all the questions...

First, I don't know the difference between the green WhatsApp and the blue WhatsApp.
Did you mean the color of the icon?
If that is the case, one is for WhatsApp chats (the whole conversation) and the other a single message (contained in a chat).

About the participant change, a few questions:

1. Is the difference in the name, the phone number or both?
2. Is the difference only in the metadata (Communication:From) or in the chat HTML?
3. Is the sender the phone owner or another contact? (Phone owner information is usually not stored in the WhatsApp DB)
4. If the sender is a contact, how is it shown under contacts?

When a person changes their name and phone number, do the old messages then show the new name, meaning the old name is not preserved?

If a contact change their WhatsApp number, a notification is shown in the chat history (something like "John changed their phone number. You're currently chatting with their new number.").
Names are different. Once you add a contact to your address book, the name will remain the same. You can call a person by any name (like a nickname or whatever you want). The contact is not aware about this name and can't change it.
The phone owner can (obviously) rename contacts. In such case, there is nothing (in WhatsApp) that controls messages before or after this event.
You can test in your own phone. Rename a contact and see how the app shows the contact in direct (one-to-one) and group chats.
If the contact is not in the address book, a "push name" (if available) is displayed (otherwise, just the number). If the contact changes its push name, the new name is updated.