Category: «Did you know that...?», «Elcomsoft News», «General», «Software», «Tips & Tricks»
Feb 06, 2019 When dealing with Whatsapp on Android based phones, the SQLite databases named msgstore.db and wa.db are the most important. The msgstore.db of WhatsApp contains chat messages between a user and contacts and the wa.db file stores all the WhatsApp user’s contact information. The msgstore.db within WhatsApp contains 2 tables. Dec 01, 2013 whatsapp saves messages in to a database file, with these tasker tasks, we write directly into the database with a shell command and the sqlite binary (in this case the one that comes with titanium backup, many other apps have the same binary included). The tasker task kills whatsapp so it will restart and reload the database, it will find a.
Dec 06, 2019 User379860 posted. Agree with AlessandroCaliaro, you can not access it. If you want to achieve the result like hare SQLite database between apps in android, you need to specify a shared user id in the AndroidManifest.xml of both apps like this. Jul 28, 2014 On most of smart-devices,.db files are generally SQLite database, it will start with 'SQLite format 3' if you open your.db with any hexadecimal editor at offset 0 you should find the header string: 'SQLite format 3 000', you can use Db Browser for SQLite, you can grab it from here.
WhatsApp remains one of the most popular instant messengers. With more than 1.5 billion users and about half billion daily active users, WhatsApp sends over 100 billion messages per day. WhatsApp is secure thanks to end-to-end encryption to make intercepted messages impossible to decrypt. While this is great news to consumers and privacy advocates, it is also bad news for the law enforcement. Once an expert accepts to access the suspect’s WhatsApp communication history, they will struggle with the encryption and demand for a vendor-provided backdoor (WhatsApp: The Bad Guys’ Secret Weapon).
Are there any other options to access WhatsApp conversations? We know of at least two. The first option is capturing the message database directly from the device of either party. The other option is going through the cloud. WhatsApp does not have its own native cloud service such as Telegram. All it has is a messaging relay service, which does not store messages for any longer than required to pass them along. In other words, any message that passes through WhatsApp servers is immediately deleted once it’s delivered (and it would be of no use to forensic experts anyway due to end-to-end encryption). It is important to note that WhatsApp accounts cannot be used on more than one device.
Let’s review WhatApp recovery/decryption options for both Android and iOS, and see what is new in Elcomsoft eXplorer for WhatsApp (EXWA).
WhatsApp in Android
On Android smartphones, WhatsApp keeps its chat database in a sandbox. The database is excluded from ADB backups, and can only be accessed if the device is rooted. The only way to access a WhatsApp database on non-rooted devices requires sideloading a special version of WhatsApp and forcing it to return the original, unencrypted database to the host. We can do it with EXWA, but only on older versions of Android from Android 4.0 through 6.0.1. Android 7.0 and newer make things much more complex; we are still looking forward to implement a similar approach for more recent Android builds. In other words, if you are acquiring a reasonably new Android handset, it’s not very likely that you’ll be able to pull this trick (at least for the time being).
WhatsApp can also create a standalone backup to Android shared storage or an SD card, but such backups are always encrypted. Encrypted WhatsApp backups have file names ending with .cryptNN, where NN is a number. To decrypt that database, you will need the encryption key that is stored in WhatsApp sandbox. This puts us back to the root/no root situation, as sandbox access is only possible if you have superuser permissions. And if you do, you are much better of just pulling the original WhatsApp database from the app’s sandbox – unless you need data in that particular backup. The number in the .cryptNN represents the revision of the encryption algorithm that is used to protect the backup. These are very minor changes in encryption algorithms that do not actually affect the security. Open-source code is available to decrypt such files (e.g. here and there), but you still need the encryption key that is not easy to obtain.
Is it possible just to calculate or generate the encryption key instead of extracting yet? We can try. But first let us have a look at WhatsApp backups on Google Drive.
WhatsApp backups that can be created from within the app are optional; you can select a daily, weekly or monthly backup, or just do it by request when you press the [Backup] button. You can also completely disable backups. A backup will always contain chats and pictures (videos are optional), but not contacts. For the Android version of WhatsApp (and so backups on Google Drive) chats are always encrypted, while media files are not.
For a long time, EXWA has been able to download WhatsApp backups from Google Drive (of course, if you have the user’s Google credentials), see Extract and Decrypt Android WhatsApp Backups from Google Account.
How do we deal with encryption? We do it the same way as WhatsApp itself when restoring from a backup. One will need to obtain a security code by SMS (you will need access to the phone number in order to receive it). The only issue is that once the code is generated on the server, WhatsApp is deactivated on the user’s device. Of course, the user can re-activate it again, but the encryption key we generate will work only for backups that were saved before, but not for any future backups.
WhatsApp in iOS
For iOS devices, the easiest way to access WhatsApp conversations is analyzing a local iTunes-style backup. There is no additional encryption for WhatsApp data inside device backups. However, if a backup password is set, one must enter the password, recover it or reset it on the iPhone itself.
What about iCloud backups? They are essentially the same; WhatsApp chats and media files are saved there as well without any additional encryption. You will need to have the user’s iCloud credentials (password plus the second factor, or the authentication token) to download device backups. Once you download a backup, WhatsApp extraction is trivial.
Just like the Android version, WhatsApp for iOS can make standalone backups as well. These are stored in iCloud drive.
WhatsApp standalone backups in iCloud Drive are also encrypted. The protection is similar to backups in Google Drive. EXWA supports these backups as well, see Extract and Decrypt WhatsApp Backups from iCloud.
New in Elcomsoft Extractor for WhatsApp
So what has changed in EXWA? We learned how to obtain the encryption keys directly from the iPhone, and so we can now decrypt WhatsApp standalone iCloud Drive backups without the need for the security code. The user’s WhatsApp installation will therefore remain active.
Technically speaking, the encryption key is stored in the keychain. Most keychain items can be easily accessed with Elcomsoft Phone Breaker, just not this one. WhatsApp encryption key targets a higher security class, and so it can be only obtained with iOS Forensic Toolkit 4.0 with Physical Keychain Extraction.
Once you obtain the encryption key and open the WhatsApp backup downloaded from iCloud Drive, you will be prompted for decryption (as we already had it). However, instead of authenticating with WhatsApp servers (to obtain the security code) you are now able to specify path to the keychain file you’ve extracted with iOS Forensic Toolkit (keychaindump.xml by default).
This is the old method. We request the activation key from WhatsApp:
And this is the new method: you just need the keychain file from a jailbroken iPhone:
There are multiple benefits to this approach. First, you will no longer require to obtain the security code by SMS or phone call, and WhatsApp will remain active on the user’s iPhone. If you don’t have access to the user’s SIM card, this could be the only extraction method available. In addition, the decryption key will work for all past and future backups.
Why ever bother with iCloud Drive backups if you have the device available? A backup may contain chats that have been already deleted on the device. While you can sometimes recover deleted records from a SQLite database, this is not always the case.
Conclusion
Elcomsoft eXplorer for WhatsApp is the most powerful WhatsApp recovery and decryption tool on the market that supports both iOS and Android versions of WhatsApp and decrypts all types of backups. We will do our best to add even more features; your suggestions are really appreciated. Speaking of which, do you need a macOS version?
WhatsApp does a backup of the messages at 4am (local time) every day to the SD card. On Android, this backup is an encrypted copy of the SQLite database containing all of the WhatsApp messages. If you want to read the messages on a computer, you will need to decrypt the file.
There are several tools available to decrypt the WhatsApp chats, but what we need is just the openssl
utility.
On Android, pull the encrypted file from your phone at the below location:
We will now need to decrypt the file using AES using a 192-bit key that is:
Open a shell or command prompt window and run openssl
as shown.
The command will take the msgstore.db.crypt
file as an input (specified with the -in
option), perform AES decryption and write the output file to msgstore.db
(specified with the -out
option). Now, the output file can be read using the sqlite3
program or any other SQLite utility.
To encrypt the file back, we will need to run openssl
with the same key.
WhatsApp remains one of the most popular instant messengers. With more than 1.5 billion users and about half billion daily active users, WhatsApp sends over 100 billion messages per day. WhatsApp is secure thanks to end-to-end encryption to make intercepted messages impossible to decrypt. While this is great news to consumers and privacy advocates, it is also bad news for the law enforcement. Once an expert accepts to access the suspect’s WhatsApp communication history, they will struggle with the encryption and demand for a vendor-provided backdoor (WhatsApp: The Bad Guys’ Secret Weapon).
Are there any other options to access WhatsApp conversations? We know of at least two. The first option is capturing the message database directly from the device of either party. The other option is going through the cloud. WhatsApp does not have its own native cloud service such as Telegram. All it has is a messaging relay service, which does not store messages for any longer than required to pass them along. In other words, any message that passes through WhatsApp servers is immediately deleted once it’s delivered (and it would be of no use to forensic experts anyway due to end-to-end encryption). It is important to note that WhatsApp accounts cannot be used on more than one device.
Let’s review WhatApp recovery/decryption options for both Android and iOS, and see what is new in Elcomsoft eXplorer for WhatsApp (EXWA).
WhatsApp in Android
On Android smartphones, WhatsApp keeps its chat database in a sandbox. The database is excluded from ADB backups, and can only be accessed if the device is rooted. The only way to access a WhatsApp database on non-rooted devices requires sideloading a special version of WhatsApp and forcing it to return the original, unencrypted database to the host. We can do it with EXWA, but only on older versions of Android from Android 4.0 through 6.0.1. Android 7.0 and newer make things much more complex; we are still looking forward to implement a similar approach for more recent Android builds. In other words, if you are acquiring a reasonably new Android handset, it’s not very likely that you’ll be able to pull this trick (at least for the time being).
WhatsApp can also create a standalone backup to Android shared storage or an SD card, but such backups are always encrypted. Encrypted WhatsApp backups have file names ending with .cryptNN, where NN is a number. To decrypt that database, you will need the encryption key that is stored in WhatsApp sandbox. This puts us back to the root/no root situation, as sandbox access is only possible if you have superuser permissions. And if you do, you are much better of just pulling the original WhatsApp database from the app’s sandbox – unless you need data in that particular backup. The number in the .cryptNN represents the revision of the encryption algorithm that is used to protect the backup. These are very minor changes in encryption algorithms that do not actually affect the security. Open-source code is available to decrypt such files (e.g. here and there), but you still need the encryption key that is not easy to obtain.
Is it possible just to calculate or generate the encryption key instead of extracting yet? We can try. But first let us have a look at WhatsApp backups on Google Drive.
WhatsApp backups that can be created from within the app are optional; you can select a daily, weekly or monthly backup, or just do it by request when you press the [Backup] button. You can also completely disable backups. A backup will always contain chats and pictures (videos are optional), but not contacts. For the Android version of WhatsApp (and so backups on Google Drive) chats are always encrypted, while media files are not.
For a long time, EXWA has been able to download WhatsApp backups from Google Drive (of course, if you have the user’s Google credentials), see Extract and Decrypt Android WhatsApp Backups from Google Account.
How do we deal with encryption? We do it the same way as WhatsApp itself when restoring from a backup. One will need to obtain a security code by SMS (you will need access to the phone number in order to receive it). The only issue is that once the code is generated on the server, WhatsApp is deactivated on the user’s device. Of course, the user can re-activate it again, but the encryption key we generate will work only for backups that were saved before, but not for any future backups.
WhatsApp in iOS
For iOS devices, the easiest way to access WhatsApp conversations is analyzing a local iTunes-style backup. There is no additional encryption for WhatsApp data inside device backups. However, if a backup password is set, one must enter the password, recover it or reset it on the iPhone itself.
What about iCloud backups? They are essentially the same; WhatsApp chats and media files are saved there as well without any additional encryption. You will need to have the user’s iCloud credentials (password plus the second factor, or the authentication token) to download device backups. Once you download a backup, WhatsApp extraction is trivial.
Just like the Android version, WhatsApp for iOS can make standalone backups as well. These are stored in iCloud drive.
WhatsApp standalone backups in iCloud Drive are also encrypted. The protection is similar to backups in Google Drive. EXWA supports these backups as well, see Extract and Decrypt WhatsApp Backups from iCloud.
New in Elcomsoft Extractor for WhatsApp
So what has changed in EXWA? We learned how to obtain the encryption keys directly from the iPhone, and so we can now decrypt WhatsApp standalone iCloud Drive backups without the need for the security code. The user’s WhatsApp installation will therefore remain active.
Technically speaking, the encryption key is stored in the keychain. Most keychain items can be easily accessed with Elcomsoft Phone Breaker, just not this one. WhatsApp encryption key targets a higher security class, and so it can be only obtained with iOS Forensic Toolkit 4.0 with Physical Keychain Extraction.
Once you obtain the encryption key and open the WhatsApp backup downloaded from iCloud Drive, you will be prompted for decryption (as we already had it). However, instead of authenticating with WhatsApp servers (to obtain the security code) you are now able to specify path to the keychain file you’ve extracted with iOS Forensic Toolkit (keychaindump.xml by default).
This is the old method. We request the activation key from WhatsApp:
And this is the new method: you just need the keychain file from a jailbroken iPhone:
There are multiple benefits to this approach. First, you will no longer require to obtain the security code by SMS or phone call, and WhatsApp will remain active on the user’s iPhone. If you don’t have access to the user’s SIM card, this could be the only extraction method available. In addition, the decryption key will work for all past and future backups.
Why ever bother with iCloud Drive backups if you have the device available? A backup may contain chats that have been already deleted on the device. While you can sometimes recover deleted records from a SQLite database, this is not always the case.
Conclusion
Elcomsoft eXplorer for WhatsApp is the most powerful WhatsApp recovery and decryption tool on the market that supports both iOS and Android versions of WhatsApp and decrypts all types of backups. We will do our best to add even more features; your suggestions are really appreciated. Speaking of which, do you need a macOS version?
WhatsApp does a backup of the messages at 4am (local time) every day to the SD card. On Android, this backup is an encrypted copy of the SQLite database containing all of the WhatsApp messages. If you want to read the messages on a computer, you will need to decrypt the file.
There are several tools available to decrypt the WhatsApp chats, but what we need is just the openssl
utility.
On Android, pull the encrypted file from your phone at the below location:
We will now need to decrypt the file using AES using a 192-bit key that is:
Open a shell or command prompt window and run openssl
as shown.
The command will take the msgstore.db.crypt
file as an input (specified with the -in
option), perform AES decryption and write the output file to msgstore.db
(specified with the -out
option). Now, the output file can be read using the sqlite3
program or any other SQLite utility.
To encrypt the file back, we will need to run openssl
with the same key.
The openssl
utility would have created an encrypted file called msgstore.db.crypt2
and if you perform a binary comparison between the original encrypted file, msgstore.db.crypt
and this file, they should be exactly the same.
Update (22-Mar-2014): The WhatsApp database encryption method has recently been changed. Therefore this method will not work on the new crypt5
files.
Related: How to Decrypt WhatsApp crypt5 Database Messages
Related: How to Decrypt WhatsApp crypt7 Database Messages
Related: How to Decrypt WhatsApp crypt8 Database Messages
Mohamed Ibrahim
Whatsapp Sqlite Password Manager
ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }