Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
WhatsApp Messenger is a popular cross-platform mobile messaging app which allows users to exchange free messages. Of course, such messages could contain lots of case-relevant data. This messenger stores data in SQLite databases. There are two most important databases from a forensic point of view: wa.db and msgstore.db. The first one contains information about contacts, the second – about messages.
Very often a digital forensic examiner can find msgstore files on an Android device’s SD card, but not with db extension, but with, for example, crypt6, crypt7 or crypt8. These are encrypted msgstore backup files.
Of course, if you are examining a rooted device it’s not a problem: you can easily extract the cipher key and the most recent unencrypted msgstore database. But what if the device is non-rooted?
There is a solution! WhatsApp Key/DB Extractor is a tool developed by Abinash Bishoyi which allows a digital forensic examiner to extract the cipher key on non-rooted Android devices. What is more, the script also extracts the latest unencrypted WhatsApp Message Database (msgstore.db) and Contacts Database (wa.db). It’s important to note that WhatsApp Key/DB Extractor supports Android devices with Android 4.0 or higher.
To run the script you can use your favorite operating system: it supports Windows, Mac OS X and Linux. Make sure USB debugging is enabled on the device being examined and Android Debug Bridge drivers are installed.
Start from downloading the archive with the tool, use this link. Unpack the downloaded archive. If you are using Windows – run WhatsAppKeyExtract.bat, else – ./WhatsAppKeyExtract.sh.
In this example we are using a workstation with Mac OS X and an mobile device with Android 5.0.1. We run the WhatsAppKeyExtract.sh script: it downloads and installs to the device’s temporary folder WhatsApp 2.11.431 (fig. 1).
Figure 1. Running WhatsAppKeyExtract.sh script
Now the script is ready to extract the cipher key and the most recent Contacts and Message unencrypted databases. To do it, a forensic examiner should unlock the device and confirm the backup operation (fig. 2).
Figure 2. The script has successfully finished the task
The script copies the cipher key file and two unencrypted databases – wa and msgstore. Also it updates WhatsApp’s version to the original one. Now an examiner can use the cipher key to decrypt databases, for example, found on device’s SD card.
About the authors:
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Speak to a Specialist Now
Get Help Now