WhatsApp Desktop
WhatsApp Desktop — iCloud Backup
Overview
WhatsApp Desktop syncs backup data to iCloud via the Mobile Documents directory. This backup contains a mix of encrypted and unencrypted files — a distinction that is critical for forensic investigators.
The encrypted .enc files (ChatStorage.sqlite.enc, CallHistory.sqlite.enc, etc.) require the user's end-to-end backup encryption key and cannot be decrypted without it. However, the unencrypted .tar archives (Media.tar, Video.tar, Document.tar, GIFs.tar, Stickers.tar, Thumbnail.tar) contain media files in standard tar format and are fully accessible without any decryption.
The iCloud backup is a secondary data source. The primary source for WhatsApp message forensics is the plaintext live database in the Group Container, which requires no decryption at all.
File Location
~/Library/Mobile Documents/57T9237FN3~net~whatsapp~WhatsApp/
Accounts/
<phone_number>/ # e.g., "14155551234"
backup/
Backup.plist # Backup metadata (unencrypted)
ChatStorage.sqlite.enc # Chat database (AES encrypted)
ChatSearch.sqlite.enc # Search index (encrypted)
CallHistory.sqlite.enc # Call records (encrypted)
BackedUpKeyValue.sqlite.enc # Account/crypto data (encrypted)
ExtChatDatabase.sqlite.enc # Extended chat data (encrypted)
Labels.sqlite.enc # Message labels (encrypted)
LID.sqlite.enc # Linked device info (encrypted)
Sticker.sqlite.enc # Sticker metadata (encrypted)
UserDefaults.plist.enc # User preferences (encrypted)
Media.tar # Photos/images (UNENCRYPTED)
Video.tar # Videos (UNENCRYPTED)
Document.tar # Shared documents (UNENCRYPTED)
GIFs.tar # Animated GIFs (UNENCRYPTED)
Stickers.tar # Sticker files (UNENCRYPTED)
Thumbnail.tar # Thumbnail images (UNENCRYPTED)
Thumbnail_1.tar # Additional thumbnails (UNENCRYPTED)
Documents/ # Typically empty
The iCloud container identifier is 57T9237FN3~net~whatsapp~WhatsApp (Team ID 57T9237FN3 + bundle path). The team ID prefix may change across WhatsApp releases — use glob matching (*WhatsApp*) for robust detection.
A second iCloud container at ~/Library/Mobile Documents/iCloud~net~whatsapp~WhatsApp/Documents/ typically exists but is empty.
Account Enumeration
Each subdirectory under Accounts/ is named with the account owner's full phone number including country code (e.g., 14155551234 for +1-415-555-1234, 61412345678 for +61-412-345-678). This provides direct identity attribution without any additional lookup.
Multiple accounts may exist if the user has used WhatsApp with different phone numbers on the same Mac.
Backup.plist
The Backup.plist file is unencrypted and contains metadata about the backup state:
{
"Date" => <backup timestamp>,
"E" => {
"Ch" => <ChatStorage.sqlite.enc size in bytes>,
"Do" => <Document.tar size>,
"GI" => <GIFs.tar size>,
"Me" => <Media.tar size>,
"St" => <Stickers.tar size>,
"Vi" => <Video.tar size>
},
"H" => <32-byte hash (SHA-256)>,
"I" => true/false,
"K" => <integer (key version)>,
"S" => <total backup size in bytes>,
"Version" => 7
}
| Field | Type | Description |
|---|---|---|
Date | Date | When the backup was last updated |
E.Ch | Integer | Encrypted chat database size (bytes) |
E.Me | Integer | Media.tar archive size |
E.Vi | Integer | Video.tar archive size |
E.Do | Integer | Document.tar archive size |
E.GI | Integer | GIFs.tar archive size |
E.St | Integer | Stickers.tar archive size |
S | Integer | Total backup size across all files |
Version | Integer | Backup format version (currently 7) |
K | Integer | Encryption key version |
The E.* size fields are forensically useful even without decrypting the databases — they reveal the volume of communication and media activity for the account.
Encrypted Files (.enc)
All .enc files are AES-encrypted with the user's end-to-end encrypted backup key. This is either a 64-character hex key or a password-derived key that the user configured in WhatsApp's backup settings.
Decryption is out of scope for macfor. These files are catalogued and their metadata (size, modification time) is recorded, but no attempt is made to decrypt them.
| File | Contents |
|---|---|
ChatStorage.sqlite.enc | Full chat message database (same schema as the live Group Container database) |
ChatSearch.sqlite.enc | FTS search index |
CallHistory.sqlite.enc | WhatsApp voice/video call records |
BackedUpKeyValue.sqlite.enc | Cryptographic keys and account recovery data |
ExtChatDatabase.sqlite.enc | Extended chat data |
Labels.sqlite.enc | Message labels/tags |
LID.sqlite.enc | Linked device information |
Sticker.sqlite.enc | Sticker pack metadata |
UserDefaults.plist.enc | User preferences |
The existence of CallHistory.sqlite.enc proves that WhatsApp call records ARE stored locally — contrary to WhatsApp's documentation suggesting call history is server-side only. While the file is encrypted, its presence and size are evidence of call activity.
Unencrypted Tar Archives
The .tar files are standard, unencrypted tar archives. They can be opened with any tar-compatible tool and contain the actual media files shared through WhatsApp conversations.
| Archive | Typical Contents | Typical Size |
|---|---|---|
Media.tar | Photos and images (JPEG, PNG, WebP) | 50 MB - 500 MB |
Video.tar | Video files (MP4, MOV) | 50 MB - 10+ GB |
Document.tar | Shared files (PDF, DOC, XLS, ZIP) | 1 MB - 100 MB |
GIFs.tar | Animated GIF files | 1 MB - 50 MB |
Stickers.tar | Sticker image files (WebP) | 1 MB - 20 MB |
Thumbnail.tar | Thumbnail preview images | 1 MB - 50 MB |
Video.tar can be extremely large on heavy-use accounts. macfor enumerates tar contents by default (metadata only) and provides an include_tar_contents option to extract actual files. Plan storage accordingly before enabling full extraction.
Files within the tar archives retain their original filenames and modification timestamps. MIME types can be detected from file extensions or magic bytes.
iCloud Placeholder Files
Files in the Mobile Documents directory may appear as .icloud placeholder files if they have not been downloaded to the local machine. A placeholder file has the format:
.<original_filename>.icloud
For example, Media.tar would appear as .Media.tar.icloud if it exists only in iCloud and has not been synced locally. macfor detects these placeholders and reports them as is_placeholder: true in the output, indicating data exists in iCloud but is not available for local collection.
Forensic Analysis Notes
- Tar archives are the primary evidence source from the iCloud backup. Even when the chat databases are encrypted, the media files provide substantial evidence of what was shared.
- Backup.plist timestamps show when WhatsApp last synced to iCloud, establishing a timeline of application activity.
- File sizes in Backup.plist reveal communication volume without requiring decryption. A 500 MB Media.tar indicates significant photo sharing; a 10 GB Video.tar indicates extensive video exchange.
- Account directory names provide phone number attribution. Combined with country code analysis, this can establish the geographic origin of the account.
- Placeholder files indicate data exists in iCloud that was not synced locally. This may warrant a separate iCloud legal process request.
- The live Group Container database at
~/Library/Group Containers/group.net.whatsapp.WhatsApp.shared/ChatStorage.sqlitecontains the same message data as the encryptedChatStorage.sqlite.enc— in plaintext. Always check the Group Container first.
Tool Support
| Tool | Support Level |
|---|---|
| macfor | Full: backup metadata, file enumeration, tar extraction, placeholder detection |
| tar CLI | Manual tar archive extraction |
| plutil | Manual Backup.plist inspection |
| whats-enc | Open-source .enc file decryption (requires key) |