WeChat is one of the world’s most successful apps ever. If you’re a digital forensics examiner, the chances are that you’ve heard of it and probably even worked with it. The app is so successful that it is often referred to as a “Super-App”.

This article will briefly provide some details about WeChat itself:

  • the number of people who use WeChat;
  • the reasons why WeChat is so popular in China and within Asian communities around the world;
  • the features of the WeChat app; and
  • the way in which WeChat data is encrypted and transmitted.

We will then discuss the nature of the evidence itself and share our experience with who engages a private digital forensics expert to extract the evidence and to what use it is commonly put:

  • common sources of evidence include:
    • in-app communication, such as text messages, voice messages, images and videos;
    • currency transactions;
    • business transactions;
    • gift exchanges designed to accommodate Asian cultural celebrations;
  • examination of this evidence is frequently requested from members of the public and the legal community involving disputes such as:
    • transactions and contractual obligations that have not been honoured;
    • family law disputes;
    • employment law (i.e., workplace) disputes; and
    • criminal charges

Finally, this article will discuss some of the challenges experienced by digital forensics examiners when extracting, analyzing and reporting on matters involving WeChat evidence.

WeChat: Analysis of a Super-App

WeChat is commonly referred to a “super-app”, but why? Most point to the sheer number of WeChat users worldwide, which is incredibly large. However, the esteemed label of super-app given to WeChat is most likely attribute to the number of WeChat users in combination with the many user friendly features that WeChat offers. After all, it is highly unlikely that such a large number of people would continue to use an app that did not benefit them.

So, how many people use WeChat worldwide? It is commonly reported that WeChat has more than 1 Billion users Worldwide every monthi. That is an incredibly high number of people in terms of population for the planet Earth. At last count, the Earth was reported to have a population of approximately 7.7 Billion peopleii. The fact that approximately 1 in every 8 people use a single app in any given month is staggering in and of itself.

However, let us not forget that not every person on this planet uses a smart phone. In fact, a recent figure suggests that approximately 5 Billion people will use a smart phone globally by 2019iii. As these two figures continue their collision course, we can roughly expect that 1 in every 5 people in the world who own a smart phone will be using WeChat. Those figures certainly qualify WeChat as a super-app in our opinion.

Why does WeChat have so many users and why are they predominantly Asian, particularly of Chinese origin? In order to answer this question, we must briefly consider the legal and political landscape of China. China is subject to the rule of a dictatorship regime under which the free flow of information, particularly online, is very strictly controlled.

Within the context of such an environment, it was almost inevitable that technology such as WeChat, which predominantly serves to allow individuals and groups to privately and securely communicate by digital means, would explode in popularity. Security is achieved through encrypting the data while it is in transmission. However, we would note that WeChat communications are somewhat unique in that all data is encrypted and sent to servers, located in China, and then on to the end user. This intermediate interception or collection of data is not common in other communication apps such as Facebook Messenger, Whatsapp or iMessage for example that send encrypted data directly between users.

Once people began to use WeChat, word of its utility spread and the developer’s responded by adding features and WeChat has only increased exponentially in popularity over the course of its relatively brief existence.

Uses communicate with one another, or within WeChat groups of users, by sending text messages to one another, including various emojis and stickers that are popular and enjoyable features of such communications. Users are also able to exchange voice messages by making a recording and sending it to a friend or contact within WeChat. Digital images and videos may be sent as well.

As WeChat has developed over time, it has added features to allow users to perform business transactions and transfers of currency to one another. Many businesses accept payment through WeChat, such as taxi services and food providers. A special business account must be set up to accept business payments and WeChat restricts business account users to businesses that are officially registered in China.

Transfers of currency from personal users to personal users are not restricted by geographical location within WeChat. This has given rise to one of WeChat’s most popular features which allows users to send a traditional Chinese New Year monetary gift in the form of a digital red “money packet” sticker.


With such features available and the number of users that enjoy all the benefits of WeChat, it is no surprise that the app has been given the highly appropriate label of a Super-App.

i https://www.statista.com/statistics/255778/number-of-active-wechat-messenger-accounts/

ii http://www.worldometers.info/world-population/

iii https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/

A Closer Look at WeChat Evidence and Whom is Using It?

As we have outlined, WeChat evidence can be a useful resource for examining communications and exchange of information and currency between users. This evidence can often be used to corroborate or call into question someone’s version of events within the context of a criminal prosecution or civil litigation dispute.

DFI Forensics Inc. (https://dfiforensics.ca/) is a private digital forensics firm located in Vancouver, British Columbia, Canada. We do not represent the Government of Canada, nor the Province of British Columbia in criminal or quasi-criminal matters. Therefore, when we are engaged by members of the legal community, it is most often for a civil litigation dispute or to assist in the examination of evidence to aid in the defence of a person charged with a criminal offence.

Most often, these civil litigation matters involve employment (i.e., workplace) legal disputes or family law disputes in which litigants are asking the Court to determine issues of division of family assets and/or issues of custody and access to children of the family relationship.

There is a large Asian community in Vancouver, B.C., and during the course of a high net-worth family law proceeding, many of them engage the services of Lorne MacLean, Q.C., founder and owner of MacLean Law (www.macleanlaw.com). Mr. MacLean has often relied on WeChat evidence in his cases, including within the context of a recent 40-day civil trial in the Supreme Court of British Columbia.

Mr. MacLean recognizes that “WeChat is the number one social media and communication tool for [his firms’] Mandarin and Cantonese speaking clientele. All of standard warnings for inappropriate social media postings and electronic and digital communication apply to WeChat.” Specifically, he advises his clients to “not post social media content or send text WeChat messages they wouldn’t be proud to have a Judge see because believe me in your family case they will!”

This is a testament to the use and value of digital communications, such as those sent between WeChat users, to prove various aspects of a case when a civil dispute finds its way inside a Courtroom.

Working with WeChat: The Digital Forensic Examiners Perspective

Anyone who has worked with WeChat evidence will know that it is generally fairly routine to extract from the source. However, there can be challenges processing and reporting the evidence to our clients in a user-friendly manner.

The challenges you experience and the solutions are often dependent on your choice of forensic software. Not all platforms and suites are equal when working with WeChat evidence in particular.

Some of the challenges encountered in the past involved difficulties in viewing the messages in sequence which stickers, videos and images were also exchanged in the same communication string. Some platforms will not extract the images at all, while some will extract them out of sequence.

The problem in working in this fashion is that a greater reliance in placed on the awareness of the forensic examiner working on the file. Unless the examiner is very clear about the context of the communication and the context within which the stickers, images and videos were exchanged, there may be an error in presenting them to the client or the Court unless great care is taken.

To compound the problem, the evidence is often in Cantonese or Mandarin and, unless the examiner is fluent in the language of the communication between the WeChat users, there may be a greater likelihood that a human error could result.

One of the forensic software tools that is highly capable of dealing with WeChat evidence in the Belkasoft Evidence Center (https://belkasoft.com/ec). Belkasoft Evidence Center (BEC) supports extraction and analysis of WeChat history from Android and iOS devices.

Android WeChat history is stored in the encrypted SQLite database EnMicroMsg.db (com.tencent.mm\MicroMsg\*\ EnMicroMsg.db). This database is encrypted using sqlcipher plugin (https://www.zetetic.net/sqlcipher/sqlcipher-for-android/)

iOS WeChat history is stored in the SQLite database MM.sqlite (AppDomaincom.tencent.xin\Documents\4e091c49a4148702c235801ee48c4694\DB\MM.sqlite). This database is usually unencrypted.

Belkasoft Evidence Center looks for encrypted Android WeChat databases and asks for user input when such a database is found.

Belkasoft Evidence Centre is able to decrypt Android WeChat, using device IMEI and user UIN provided. If UIN was found and extracted from a data source, it will be displayed on the “WeChat decryption options” dialog window:


In Android devices, messages are extracted from the “message” table and contacts are extracted from the “rcontact” table. In iOS devices, messages are extracted from tables starting with “Chat_” and contacts are extracted from the Friend table. The following is an illustration of how the evidence appears within Belkasoft Evidence Centre:


A digital forensics examiner can filter through acquired messages using a number of criteria, illustrated below:


A digital forensics examiner can search for evidence among all data sources and artifact types, as illustrated below:


A digital forensics examiner can bookmark important data, as illustrated below:


Finally, a digital forensics examiner can create a clean, user-friendly report in a variety of common formats and file extensions, as illustrated below:



About the Author

Tyler Hatch is the Founder & CEO of DFI Forensics Inc., a Canadian digital forensics company based out of Vancouver, British Columbia, Canada. Tyler graduated from law school in 2003 and practiced law as a trial lawyer for many years. Although not a forensics examiner himself, Tyler has developed an interest in and passion for digital forensics and founded DFI Forensics Inc. in order to provide its clients with the best advice and service possible to meet their needs.

The article was published in the eForensics Magazine, issue 08/2018 - Social Media and Instant Message Forensics. You can download a copy at https://eforensicsmag.com/download/social-media-forensics/

More details on BEC