Computer Engineering and Applications ›› 2021, Vol. 57 ›› Issue (23): 146-153.DOI: 10.3778/j.issn.1002-8331.2007-0284

• Network, Communication and Security • Previous Articles     Next Articles

Recovery Method of WeChat Revoking Message Based on Dynamic Memory Analysis

NI Xueli, LIANG Guangjun   

  1. 1.Department of Computer Information and Cyber Security, Jiangsu Police Institute, Nanjing 210031, China
    2.Jiangsu Electronic Data Forensics and Analysis Engineering Research Center, Nanjing 210031, China
    3.Key Laboratory of Digital Forensics, Jiangsu Provincial Public Security Department, Nanjing 210031, China
  • Online:2021-12-01 Published:2021-12-02



  1. 1.江苏警官学院 计算机信息与网络安全系,南京 210031
    2.江苏省电子数据取证分析工程研究中心,南京 210031
    3.江苏省公安厅 数字取证重点实验室,南京 210031


As an instant messaging system favored by users, WeChat not only brings great convenience to people’s lives, but also provides criminals with new methods and tools for illegal crimes. WeChat chat records, as a type of electronic evidence clearly listed in Chinese laws, have attracted wide attention for their validity, making WeChat chat records recovery a research hotspot in related fields. Most of the existing research on the recovery of chats focuses on the recovery of deleted messages, while the recovery of revoking messages has not made effective progress. By studying the dynamic memory management mechanism of PC WeChat, this paper analyzes the characteristic characters and field structure of the revoking message in dynamic memory. By comparing the storage principles of different types of messages such as text, emoticons, pictures, etc, a method of recovering WeChat revoking messages based on dynamic memory analysis is proposed. Finally, a tool written in Python language is used to achieve batch recovery of the revoking messages such as text, status of revocation, WeChat ID , etc, which verifies the effectiveness of this method.

Key words: dynamic memory, revoking message, data recovery, digital forensics, Python



关键词: 动态内存, 撤回消息, 数据恢复, 电子数据取证, Python