I needed to extract a series of WhatsApp conversations from a Samsung Galaxy S 10+ running Android 9. Since the device was not rooted, I was only able to get logical and file system extractions - I was able to extract the backup databases containing the messages but as expected, they were encrypted and I did not have access to the decryption key (again, because the device was not rooted).
Some factors to consider:
· I had consent from the owner to access the information that was stored on the phone, but I did not have the authority to log in with the What’s App account on another device to restore the messages to it and get a full physical extraction.
· Many of the key messages in the case were voice messages sent within the WhatsApp chat threads, so taking manual photographs only was not an option. XRY has a program called Photon that takes pictures of WhatsApp chats in an automated way and generates a report. I did not have access to Photon and it would not have worked for the voice messages.
WhatsApp, like many other mobile apps, uses SQLite databases to store information. However, one of the things that makes WhatsApp so secure is that it uses end-to-end encryption. This very feature that makes the app so attractive to users can be a big headache for us forensicators.
Messages and related information such as timestamps, information about attached media, etc. are stored in msgstore.db. wa.db stores information about the user’s contacts, such as contact IDs, display names, phone numbers, etc. These databases are located under /data/data/com.whatsapp/databases/ . I was not able to access any of these files as the device was not rooted and I was not able to get a physical extraction.
WhatsApp backups (backups of msgstore.db) are stored in encrypted databases with the filename format msgstore-####-##-##.#.db.crypt**, where the number denoted by ** varies depending on the version of the encryption algorithm used. (In this case, I was dealing with crypt12). These encrypted backups are located in /mnt/sdcard/WhatsApp/Databases if the user has a physical SD card or in /data/media/0/WhatsApp/Databases in case of emulated storage.
Figure 1 - Sample of encrypted backup databases
The decryption key for these databases is located at data/data/com.whatsapp/files/key. However, to get the decryption key the device would need to be rooted or we would need a physical extraction, which was our problem to begin with.
Also, since WhatsApp uses a relay service and end-to-end encryption, even with legal process the company wouldn’t be able to provide message content.
The attachments sent and received through the app are not encrypted and are saved on the device (or micro sd card if there is one), however, retrieving just the attachments without the context of the entire conversation may not make much sense for an investigation.
If there is no physical micro SD card present:
The voice messages can be found at data/media/0/WhatsApp/Media/WhatsApp Voice Notes. The filename format is PTT-YYYYMMDD-WA####.opus, where YYYYMMDD means the date in Year, Month, and Day format and ## are digits from 0 to 9.
Pictures can be found at /data/media/0/WhatsApp/Media/WhatsApp Images/ The filename format for the pictures is IMG-YYYYMMDD-WA####.jpg
Videos can be found at /data/media/0/WhatsApp/Media/WhatsApp Video/ The filename format for the videos is VID-YYYYMMDD-WA####.mp4
After following my standard procedures such as photographing the device and documenting all the steps, I obtained file system and logical extractions with CelleBrite’s UFED Touch2. I also obtained a quick extraction with Magnet’s Axiom. After verifying that I was not able to obtain the WhatsApp messages with any of these extractions (just like I expected), I proceeded to research other possible alternatives. None of the free tools or scripts that I could find online to extract the decryption key would work, as the phone was non-rooted and was running Android 9.
Other options suggested in some forensic forums included:
· If the device’s phone number was the number associated with the WhatsApp account, you should be able to put that SIM card inside a test phone (rooted or one where you could get a physical extraction). You could then get the key file from the test phone and use it to open the encrypted database. NOTE: I did not have permission from the phone’s owner to do this.
· Downgrading the app appeared to work with older versions of the OS, but not with Android 9 at this moment.
· The WhatsApp account on the phone was set up to back up the subject’s Google account - but I was not able to do that unless I connected the phone to the network, which I wasn’t able to do either.
My next option would be to export each chat thread to my forensic laptop using Bluetooth. Before doing this, I made sure I had the approval to do so from the lead detective, and documented all the steps, as I was interacting directly with the phone content.
For each conversation (yes, you have to export one thread at a time with this method), click on the three dots (“More options”) on the top right corner of the screen > More > Export chat. Then, select whether you want to export the media (pictures, videos, voice messages) or just the text. In this case, I needed everything, since I had many voice messages containing what seemed to be relevant information - otherwise I would have just taken pictures of the conversations. When prompted how I wanted to export the conversation, I selected “Bluetooth”.
|Figure 2 - Select "More options" (three dots)|
|Figure 3 - Options to export the chat|
The messages and attachments were then exported to a folder on my forensic laptop. I chose to name each folder with the same name listed in the WhatsApp (whether this was the contact name or group name).
For each thread, a .txt file is created containing the text conversation. Any media attachments are also exported to that folder with the following format (see Figure 4 below):
NOTE: The WhatsApp FAQ page mentions there is a limit to the number of messages that can be exported via email. “When exporting with media, you can send up to 10,000 latest messages. Without media, you can send 40,000 messages. These constraints are due to maximum email sizes.” I could not find any information as to whether there was a limit on the number of messages that could be exported using Bluetooth, but I did notice it was approximately 16-18 mb worth of media (starting with the newest attachments).
This is not a problem, as I still have these files from the CelleBrite extraction, so if an older media file that had not been exported was needed we could still find it, but keep this in mind if you are skipping that step.
It can be good practice to hash the exported files and create an L01 image to keep a copy of them with your case data.
My next problem was how to present all this information to the lead detective. I asked my friend and mentor Alexis Brignoni (@AlexisBrignoni) for suggestions and he quickly wrote a script that processes all the extracted folders and generates HTML reports for each message thread.
You can find the awesome script here:
A few things about this awesome script:
- The script runs in Python3… you may need to install a dependency such as PySimpleGUI (pip3 install PySimpleGUI).
- Make sure you make a folder for each of the conversations you export. (I just exported one conversation in the example shown below – JavaVonMutt). Place all the folders with the different conversations within another folder (in this case, the WhatsApp2 folder), and place this folder in the same folder that has the Python script and the logo.
Figure 4 - Sample directory structure
- Make sure you point the script to the main folder where you have all your chats (in this case, WhatsApp2)
|Figure 5 - WhatsApp Manual Extractor Report Generator GUI|
- At this time, the reports do not open correctly in Safari. I used Chrome and it looks beautiful!
|Figure 6 – Report for the Java Von Mutt chat thread|
|Figure 7- Image hyperlinked within the report|
Note: This post is focused on WhatsApp on regular Android devices. The types of artifacts generated by WhatsApp in other operating systems may vary. According to my research, in iOS, WhatsApp data can be found on iTunes backups without any further encryption (you just need the iTunes backup password - or reset it if you don’t have it… but that’s a topic for another day.)
Double check your work. Don’t just rely on one tool. Whenever possible, test your tools and test your results.
Document, document, document.
The fact that your tool of choice can’t parse an artifact at the moment doesn’t mean it is the end of the world. We are examiners, not robots. Think outside the box!
Share your findings with the community. This is how we grow.
Until next time!
Katalov, V. (2018, Dec. 20). A New Method for Decrypting WhatsApp Backups. Retrieved from https://blog.elcomsoft.com/2018/12/a-new-method-for-decrypting-whatsapp-backups/
Mikhailov, I. (2019, July 19). WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts. Retrieved from https://www.group-ib.com/blog/whatsapp_forensic_artifacts