WhatsApp Extraction for Android 

Written By Guest User

1) Executive Summary

Because of constant security updates, it has become increasingly challenging to access WhatsApp data for a forensic extraction. An alternative way to the norm of doing a physical extraction with a tool such as Cellebrite’s UFED, one can back up the WhatsApp database to a temporary Gmail account. One would then download the account afterward, loading it onto a mobile phone and then proceed to create a physical image of that mobile device. Thus, still securing the chats.  

2) Introduction

Using Cellebrite’s UFED, you can extract data from thousands of mobile devices, which also includes WhatsApp messages.  WhatsApp stores its messages in an encrypted database called a Crypt12 file. The key used to decrypt this file is stored in a secure location that can only be accessed if the device is rooted or through a Physical Extraction using Cellebrite UFED. Most mobile phones are not rooted and due to its intrusiveness, a physical extraction is preferable.

3) The Problem

UFED does not support a Physical Extraction method for all mobile devices and the newer the device,the less likely it will be supported. 

Without a Physical Extraction or Rooting the device, the Key to the Crypt 12 file cannot be retrieved thus the WhatsApp database cannot be decrypted and the contents thereof cannot be read.

Some of these devices (as of June 2019) include:

● Samsung Galaxy S10+ SM-G975F

● Samsung Galaxy S10+ SM-G9750

● Samsung Galaxy S9+ SM-G965F

● Samsung Galaxy S8+ SM-G950F

● Huawei P30 Pro VOG-L29

● Huawei P20 Pro CLT-L09

● Huawei P20 Lite ANE-LX1 

And many more.

5) The Solution

The alternative to a Physical Extraction will be to temporarily transfer the WhatsApp backup to a mobile device that Cellebrite does support a physical extraction method for. The older the device, the better.

 

What you will need:

1. Another mobile device that is factory reset.

2. A temporary Gmail account.

3. An internet connection to both mobile phones.

4. Access to the source device.

 

We will refer to the devices as Source and TargetSource being the device containing the WhatsAppdata we would like to extract, and Target being the device we are moving the WhatsApp to temporarily.

 

What will be transferred is the GMAIL backup of the WhatsApp database. It will be synced to the temporary Gmail account and downloaded on the Target phone.

 

● Create a temporary Gmail address e.g. tempmail@gmail.com

● Add temporary email account to Source phone. Phone Settings > Cloud and Accounts > Accounts > Add account

● Change WhatsApp chat backup location to tempmail@gmail.com WhatsApp Settings > Chats > Chat backup > Accounts

● Press Back Up to sync the WhatsApp backup to the tempmail@gmail.com account.

 

The original Gmail address can also be used if you have the login details of the Source device. Syncing the backup to the new account will back up the current database as it is. Using the original Gmailaccount might provide other data that you may not see currently (i.e. if the user recently deleted a message but has not backed up yet, meaning that the backup on Gmail might still contain that message) 

 

● Open Target phone and add the temporary email address containing the WhatsApp backup. 

● Download WhatsApp from the Play Store.

● Open WhatsApp, enter the mobile number associated with the Source WhatsApp account. (You will need to be able to receive a verification code on the Source device).

● Press verify.

● A verification code will be sent to the associated number. (The Source phone will have to be taken out of Airplane mode to be able to receive the code.)

● Enter the verification code.

● If verified correctly the Source device can be put back into airplane mode.

● Wait for the backup to finish restoring.

● After backup finished restoring, put the Target phone in airplane mode.

● The Target phone is ready to be imaged.

 

After you have successfully imaged and tested the image, you can verify the account on the Sourcedevice again.

 

● Open WhatsApp on the Source device (note that you will have to take it off airplane mode again), and press verify.

● Enter the verification code again (some devices detect that the code was sent and automatically verifies).

● The account should be verified and back on the Source device.

● Return the chat backup account to the original account on the Source device.

 

Some things to take note of: 

● Make sure you have enough space on the Target as some WhatsApp backups can be large, especially if you are including media.

● The contact list will not be extracted, only the mobile numbers will show for the chats and not the name of the contact.

● The Security Code for the WhatsApp Account will change upon every verification. Once when you verify the account on the Target device, and once when you verify it back on the Sourcedevice.

 

6) The Output

After a successful Physical extraction of the Target, you can open it in Physical Analyzer. As this is a physical, all operating system files will also have been extracted. You can either merge this extraction with a File System and/or Advanced Logical Extraction, if created, of the Source device if only chats are relevant towards the case.

Alternatively export just the Chats (found under “Analyzed Data” in the project tree) to PDF and use that for the investigation.

FACTS Consulting. All rights Reserved. 2019

Guest User
Previous

Android and iOS System Logs