With the popularity of smart phones, various mobile social tools have appeared on the market. Among them, social tools that used to share pictures and videos as the core have also been implanted with mobile chat functions to increase user stickiness and use time. Among these tools, the ultimate feature of WhatsApp is simple and easy to use, and it also provides encryption of chat messages between users.
Two years ago, WhatsApp started to develop comprehensive end-to-end encryption technology and used software provided by the non-profit security organization Open Whisper Systems. This chat application has enabled this technology by default for plain text communication between two users in 2014, but group chat messages and rich media messages are not fully encrypted. Now WhatsApp has improved its default encryption settings, allowing only senders and recipients to view messages. All current WhatsApp messages will receive end-to-end encryption support. In other words, even if law enforcement agencies forcefully intervene, the company cannot read user information.
Although there have been several information security incidents, WhatsApp is still one of the most popular instant messaging tools. WhatsApp has more than 1.5 billion users and approximately 500 million daily active users, sending more than 100 billion messages every day. The security of WhatsApp benefits from end-to-end encryption, making intercepted messages impossible to decrypt. While this is good news for consumers, it is also bad news for law enforcement agencies. Unless the company agrees to provide a backdoor that allows them to access the suspect's WhatsApp communication records, law enforcement officials will face encryption issues.
So besides using the backdoor and password, are there other options to access the WhatsApp conversation? Currently, we know at least two. The first option is to capture the message database directly from any party's device, and the other option is to use cloud services. WhatsApp does not have its own local cloud service like Telegram. It has only one messaging relay service, and its storage time will not exceed the time required to deliver the message. In other words, any message sent through the WhatsApp server will be deleted immediately (due to end-to-end encryption). It should be noted that WhatsApp accounts cannot be used on multiple devices.
Let's review the WhatApp recovery or decryption options for Android and iOS and see what new features Elcomsoft eXplorer for WhatsApp (EXWA) has.
On Android smartphones, WhatsApp saves the chat database in a sandbox. The database is not included in the ADB backup, and the database can be accessed only when the device has root privileges. To access the WhatsApp database on a non-rooted device, the only way is to operate WhatsApp in sideload mode (a flashing mode of Android) and force it to return the original unencrypted database to the host. We can use EXWA to achieve, but note that it can only be implemented on the old version of Android 4.0 to 6.0.1. If you use this method on Android 7.0 and later versions, it will not work. The reason is that the process is more complicated, but we are still working hard and looking forward to implementing a similar method in the latest Android version. In other words, if you are buying a newest Android phone, you are unlikely to use this method.
WhatsApp can also create independent backups for Android shared storage or SD cards, but these backups are usually encrypted. The name of the encrypted WhatsApp backup file ends with .cryptNN, where NN represents a set of numbers. To decrypt the database, you need the encryption key stored in the WhatsApp sandbox, so that we can return to root or non-root situations, because you can only access the sandbox if you have super user rights. If you do this according to the above method, then I suggest you better take the original WhatsApp database out of the application sandbox, unless you need the data in that particular backup. The set of numbers in .cryptNN represents the revised version of the encryption algorithm used to protect the backup. These are minor changes in the encryption algorithm and do not actually affect security. Although open source code can decrypt these files (reference 1 and reference 2), you still need the encryption key.
Is it possible to just calculate or generate the encryption key without extracting it? Before we try, first we have to look at the WhatsApp backup on Google Drive. When creating a WhatsApp backup in the app, there are options. You can choose daily, weekly or monthly backup, so when you press the "Backup" button, the program will back up according to your option settings. However, you can also completely disable the backup. It should be noted that the backup will always contain relevant chat information and pictures (video is optional), but not contact information. For the Android version of WhatsApp (and backups on Google Drive), chat history is always encrypted, while media files are not.
For a long time, EXWA has been able to download WhatsApp backups from Google Drive, but only if you have the user's Google login credentials.
When doing WhatsApp backup, we need to use the same method as WhatsApp message generation. For example, the user needs to obtain a security code via SMS (you need to access the phone number to receive it). The only problem is that once the code is generated on the server, WhatsApp will be deactivated on the user's device. Of course, the user can activate it again, but the encryption key we generated can only be used for previously saved backups, not for any future backups.
For iOS devices, the easiest way to access WhatsApp sessions is to analyze backups with local iTunes attributes. Although the WhatsApp data in the iOS device backup does not have additional encryption, if a backup password is set, you must enter the password, restore the password or reset the password on the iPhone.
So can iCloud backups be cracked? They are essentially the same because WhatsApp chats and media files are also stored there without any additional encryption. Forensics personnel need to have the user's iCloud credentials (password plus the second verification factor, or authentication token) to download the device backup. Once the WhatsApp backup is downloaded, decrypting it is a matter of course.
Just like the Android environment, WhatsApp in the iOS environment can also be backed up independently, and they are all stored in the iCloud drive. Standalone WhatsApp backups in iCloud Drive are also encrypted, and this protection is similar to backups in Google Drive.
Above we learned how to get the encryption key directly from the iPhone, and now we can decrypt the standalone WhatsApp iCloud drive backup without the need for a security code. At this point, the user's WhatsApp installation will be running.
Technically speaking, the encryption key is stored in the keychain. Using Elcomsoft Phone Breaker can easily access most of the keychain items. Since the WhatsApp encryption key is for a higher security level, it can only be obtained through iOS Forensic Toolkit 4.0 with physical keychain extraction. Once you obtain the encryption key and open the WhatsApp backup downloaded from the iCloud drive, you will be prompted to decrypt it. But now you don't need to use the WhatsApp server for authentication (get the security code), instead you can specify the path to the keychain file extracted using the iOS Forensic Toolkit (keychaindump.xml by default).
The above is the old method, here I will introduce a new method: you only need to jailbreak the iPhone to get the keychain file. This method is rude but has many advantages. First, you will no longer need to obtain a security code via SMS or mobile phone, and WhatsApp will keep running on the user's iPhone. If you cannot access the user's SIM card, this may be the only extraction method available. In addition, the decryption key will be used for all past and future backups.
If the device is available, the backup may contain chat history that has been deleted on the device, and you do not need to use an iCloud drive to back up at this time. Although it is sometimes possible to recover deleted records from the SQLite database, this will only be done under special circumstances. Elcomsoft eXplorer is the most powerful WhatsApp recovery and decryption tool on the market. It supports both iOS and Android versions of WhatsApp and decrypts all types of backups.
If your account is blocked, then recall whether the above points have been violated. Perhaps in the process of using it, you accidentally touched the prohibited behavior, then don't worry, there are several solutions below.
The advantage of using this method is that there is no charge, but there are also drawbacks. Even if you receive the reply from the other party, you cannot reply to it immediately. Another is that the software side will check your behavior. If you really are If you are banned for violating the regulations, it is impossible to unblock the ban, so you must be true during the appeal process. Many people are willing to use this method, but you should not rush in the process. There are several steps to pay attention to:
How to see someone's phone screen activity, call history, sms, chat conversation, text messages, email, gps location, photos, videos, whatsapp, messenger, facebook.Hidden spy app can remotely monitor and track my partner's another cell phone. You can check all messages from wife or husband phone, Parents can control child's phone and read all deleted messages.The software can find target device online by phone number. You can download and install the apk file for free without touching it. Best way to hack your boyfriend's or girlfriend's android phone and listen call recording secretly.