Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
WhatsApp is a popular online chat app used across the globe. Every month our lab receives lots of requests to decrypt encrypted WhatsApp databases without the crypt key.
In this article we’ll speak about available methods of the key extraction or recovery and the perspectives of decrypting WhatsApp databases without the crypt key.
WhatsApp Crypt Key Location
So, what is the crypt key? It is a WhatsApp database file with a “key” name stored in your WhatsApp account: userdata/data/com.whatsapp/files/.
Figure 1. The “key” file
The Crypt Key Extraction and Recovery
The main problem of decryption encrypted WhatsApp databases is that the key is always stored on the phone, whether it’s an iOS iPhone, Windows, or Linux/Android device. But encrypted databases can be also stored on it’s SD card, for example.
Figure 2. Encrypted WhatsApp databases
Usually, to extract a WhatsApp key, a digital forensic examiner must perform a physical extraction from the device. But it’s not always possible due to software and hardware issues of some mobile devices. Of course, there are methods of extracting the crypt key from non-rooted devices, but these techniques can be applied to a limited number of devices.
If your client has the SIM-card used for the crypt key generation on the examined device, we can get a new key via reinstalling WhatsApp. If you restore WhatsApp, the new key can be used to decrypt old WhatsApp databases.
Crypt key mining: a digital forensic examiner can try to restore the deleted key from the examined mobile device. Of course, you’ll need a physical image of the device. Extract strings and choose those with morphology similar to the crypt keys. Then, try to use these keys to decrypt the encrypted files you have.
WhatsApp Crypt Tools
Luckily, there’s a GitHub repository made specifically to decrypt and encrypt WhatsApp files with ease. The tool is able to handle .crypt12, .crypt15, and .crypt14 file types. In order to decrypt encrypted WhatsApp messages, you must have access to the key file or 64-character key. The tool can be installed directly on your computer or installed through Google Collab.
With the tool installed your device can create key files, decrypt, and encrypt by reading simple commands. The GitHub repository layouts out everything from step 1 to the final measure. It also provides an FAQ that documents common issues. The repository is well managed with frequent updates from its contributors.
The Perspectives of Decryption of Encrypted WhatsApp Databases Without the Crypt Key
Nowadays there are no public solutions for the decryption of encrypted WhatsApp databases without the crypt key.
Figure 3. Decrypted WhatsApp database (confidential information is not displayed)
In our opinion, there are two main ways to solve the problem:
If you have any questions about WhatsApp database decryption, feel free to contact us using this form.
About the authors:
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Speak to a Specialist Now
Get Help Now