WhatsApp is a popular online chat app used across the globe. Every month our lab receives lots of requests to decrypt encrypted WhatsApp databases without the crypt key.
In this article we’ll speak about available methods of the key extraction or recovery and the perspectives of decrypting WhatsApp databases without the crypt key.
WhatsApp Crypt Key Location
So, what is the crypt key? It is a WhatsApp database file with a “key” name stored in your WhatsApp account: userdata/data/com.whatsapp/files/.
Figure 1. The “key” file
The Crypt Key Extraction and Recovery
The main problem of decryption encrypted WhatsApp databases is that the key is always stored on the phone, whether it’s an iOS iPhone, Windows, or Linux/Android device. But encrypted databases can be also stored on it’s SD card, for example.
Figure 2. Encrypted WhatsApp databases
Usually, to extract a WhatsApp key, a digital forensic examiner must perform a physical extraction from the device. But it’s not always possible due to software and hardware issues of some mobile devices. Of course, there are methods of extracting the crypt key from non-rooted devices, but these techniques can be applied to a limited number of devices.
If your client has the SIM-card used for the crypt key generation on the examined device, we can get a new key via reinstalling WhatsApp. If you restore WhatsApp, the new key can be used to decrypt old WhatsApp databases.
Crypt key mining: a digital forensic examiner can try to restore the deleted key from the examined mobile device. Of course, you’ll need a physical image of the device. Extract strings and choose those with morphology similar to the crypt keys. Then, try to use these keys to decrypt the encrypted files you have.
WhatsApp Crypt Tools
Luckily, there’s a GitHub repository made specifically to decrypt and encrypt WhatsApp files with ease. The tool is able to handle .crypt12, .crypt15, and .crypt14 file types. In order to decrypt encrypted WhatsApp messages, you must have access to the key file or 64-character key. The tool can be installed directly on your computer or installed through Google Collab.
With the tool installed your device can create key files, decrypt, and encrypt by reading simple commands. The GitHub repository layouts out everything from step 1 to the final measure. It also provides an FAQ that documents common issues. The repository is well managed with frequent updates from its contributors.
The Perspectives of Decryption of Encrypted WhatsApp Databases Without the Crypt Key
Nowadays there are no public solutions for the decryption of encrypted WhatsApp databases without the crypt key.
Figure 3. Decrypted WhatsApp database (confidential information is not displayed)
In our opinion, there are two main ways to solve the problem:
- Reverse engineering of WhatsApp code in order to understand the encryption algorithm. Very often, the bugs in code allow the cell phone forensic expert to make the development of a decryption method much easier or even find backdoors to help decrypt the data very quickly.
- Using mainframes or clouds to brute-force the crypt key. This technique shows very good results in data recovery and decryption. Of course, it’s too expensive to use for WhatsApp database decryption.
If you have any questions about WhatsApp database decryption, feel free to contact us using this form.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Comments are closed.