With the development of modern technology and the enrichment of mobile phone functions, smart phones are used more and more widely in people's lives. No matter when and where, people seem to be more and more inseparable from mobile phones. The mobile phone's functions such as Internet browsing, shopping, photographing, video recording, recording, navigation, etc., bring great convenience to life and work, and greatly improve people's work efficiency and joy of life.
However, while we enjoy the efficiency and convenience brought by mobile phones to work and life, mobile phones also bring us some lingering troubles. For example, data loss and accidental deletion caused by human factors or mobile phone failure, or mobile phone infected with malicious viruses or implanted with Trojan horse spyware, causes the data and account information in the mobile phone to be stolen, causing loss or personal privacy leakage.
Mobile Phone Spy App
If people mistakenly delete important data and information in the mobile phone, or cannot view important data and information because they forget their password or the mobile phone is damaged, they need to delete the password and restore and extract the data. If you want to fully recover and extract the important data in the mobile phone, ensure that the mobile phone does not lose data or damage the mobile device during the data recovery and extraction process, and avoid the leakage of users' personal privacy, it is necessary to use professional technology to complete this work.
- Mobile phone data recovery
Recoverdeleted data in the phone memory and memory card, such as address book, short message, chat software message content, pictures, photos, audio, video and other document files in various formats.
- Mobile phone data extraction
Ability to extract application data, passwords, IM (instant messaging), contacts, text messages, emails, calendars, multimedia, call records, mobile phone details (IMEI/ESN), ICCID and IMSI, SIM card location Information (TMIS, MCC, MNC, LAC). At the same time, you can clone the SIM card ID of your phone and extract GPS track data.
- Mobile phone data decryption
Itcan decodeapplication data, passwords, emails, call records, SMS, contacts, calendars, media files, GPS information, etc.; it can extract and extract applications, emails, Bluetooth, etc. extensively. Decoding; extract other data and decrypt WhatsApp's encrypted historical database.
Spyware and tracking software
Mobile spy software and tracking software are similar. Both can steal data: images, videos, emails, text messages, etc., everything is within the control of the monitor, and they can also use regular collection lines or voIP The application intercepts and intercepts real-time call records. However, mobile phone spy apps are generally not targeted at individuals, while mobile phone tracking apps have close control over the target. They can steal pictures, text messages, eavesdrop on calls, and secretly record their conversations on the Internet. In addition, mobile tracking applications can intercept communications from applications such as Skype, WhatsApp, and iMessage.
How to decrypt WhatsApp database
Like many smartphone applications, WhatsApp stores data in SQLite database files. For WhatsApp on Android devices, two databases are the most important, one is msgstore.db, which contains chat records; the other is wa.db, which contains contact lists. Handling these databases is relatively simple, because WhatsApp has a backup function, which will back up the database to the SD card, which can be accessed without any permissions (such as root permissions). However, after installing the latest security update, the WhatsApp database will be encrypted and can no longer be analyzed directly, which brings great challenges. The chat records, message records, and call records use the AES-256 standard, and media files such as photos and videos are not encrypted. And the encryption method of WhatsApp has been updated from Crypt5, Crypt7, Crypt8 to Crypt12.
So, how do we hack the WhatsApp database at this time? The most critical step is to obtain the cipher key. When a user performs a WhatsApp backup for the first time, an encrypted key will be generated. The key will never be stored in the cloud, only on the smartphone, and each smartphone corresponds to a different key. Therefore, in order to decrypt the database, we must first extract the encryption key from the phone used when creating the backup. The specific path of the encryption key is: userdata/data/com.whatsapp/files/key.
According to the research results of SalvationDATA data forensics experts, we have developed a special algorithm that can use this key file to crack the WhatsApp database. We will announce this tool shortly and integrate it into the SmartPhone Forensic System (SPF), so that users without any basic computer programming can successfully crack the encrypted database of WhatsApp. The user only needs to import the key file and the encrypted database file, and the program can automatically generate the correct unencrypted database file.
How to bypass WhatsApp encryption mechanism
However, if you don't root the device, it won't be easy to get the key file. Therefore, next we discuss how to bypass WhatsApp's encryption mechanism and how to extract WhatsApp data without root access.
The key file and the unencrypted database are always stored in the WhatsApp directory. If you can access these files, you can view the communication records of WhatsApp on the current device. The only problem is that without root privileges, we cannot directly access these files.
Without root permissions, there are two ways to extract WhatsApp data.
System backup and restore
The first method is to use the backup and restore functions of the Android system. Many Android phone manufacturers allow users to create backups using built-in system applications. The backup created in this way is stored in the SD card without encryption. Therefore, law enforcement agencies can use this simple method to access WhatsApp communication records.
We can use a smartphone to create a backup of WhatsApp. Users can find the "Backup Restore" application in the Tools folder, create a new backup, remember to check WhatsApp. Then, we can find the WhatsApp backup data on the SD card of the phone. This backup includes all unencrypted database files and WhatsApp key files. Now, all we have to do is use mobile forensics tools to analyze the target database.
Another way is to downgrade the WhatsApp application to a version that does not have encryption mechanism. The v.2.11.431 version of WhatsApp is the last version that does not enforce the use of encrypted backups. Therefore, we can downgrade WhatsApp to v.2.11.431 without deleting user data, and then use the old version of WhatsApp to create a backup file, and then extract the required database. This process requires users to have professional skills and is accompanied by the risk of permanent data loss. Therefore, we strongly recommend that users use professional forensic tools to downgrade the version.
How to recover deleted WhatsApp messages
Now that we know how to extract WhatsApp database files from smartphones, let's see how to use database files to recover deleted WhatsApp messages on Android and iOS devices. Users can delete WhatsApp messages in two ways. Users can delete messages one by one, or use the "clear/delete" chat button to delete all messages at once. According to our test results, no matter which method the user uses to delete the message, we can use the following method to restore it.
As we mentioned earlier, WhatsApp uses SQLite database to store messages. Unlike the Android system, the iOS system stores all data related to WhatsApp in the ChatStorage.sqlite database. These database files usually come with cache files with the suffix "-wal". In most cases, the size of these cache files is 0, but if the size of these cache files is not 0, it may contain important data that has not been stored in the database. Once this happens, we must deal with it carefully, because if we don't care about these cache files, the information stored in them may be overwritten and can never be retrieved.
According to our analysis, WhatsApp messages that can be accessed normally are stored in msgstore.db, while deleted messages are stored in msgstore.db-wal. This file is the message cache file. WhatsApp will always store the message in a cache file first, and then save it to the real database. Interestingly, sometimes the cache file will be larger than the database file. This is because a message can only be stored in the database as a single record, but there is no such restriction in the cache file. A message may have multiple records at the same time. Therefore, we have a chance to recover deleted or lost WhatsApp messages.
However, in order to avoid overwriting the existing data in the cache file, we cannot open the database file directly until the cache file is processed correctly. We must first process the cache file, match the features, and then save and analyze all the data in the cache file.
Take "this is a test message" as an example. When the user deletes this message, the record corresponding to the message is usually deleted from msgstore.db. However, some records of this message may still be kept in the msgstore.db-wal cache file. The situation before and after "This is a test message" is deleted is shown in the figure below. We can see that when the message is deleted, the relevant data is still stored in the cache file, and the offset position of the record remains unchanged.
Therefore, by analyzing and extracting the data in the msgstore.db-wal cache file, we have given a way to recover deleted or lost WhatsApp messages. The aforementioned method can effectively and reliably extract deleted WhatsApp data, and is also a perfect solution to recover deleted messages and emptied chat history.