Now Reading
Decrypting encrypted WhatsApp databases without the key

Decrypting encrypted WhatsApp databases without the key

Every month our lab receives lots of requests to decrypt encrypted WhatsApp databases without the crypt key. In this article we’ll speak about available methods of the key extraction or recovery and the perspectives of decryption of encrypted WhatsApp databases without the crypt key.


WhatsApp crypt key location


So, what is the crypt key? It is a file with “key” name stored in  userdata/data/сom.whatsapp/files/.



Figure 1. The “key” file


The crypt key extraction and recovery


The main problem of decryption encrypted WhatsApp databases is that the key is always stored on the device, but encrypted databases can be also stored on it’s SD card, for example.



Figure 2. Encrypted WhatsApp databases


Usually to extract the crypt key a digital forensic examiner must perform a physical extraction from the device. But it’s not always possible due to software and hardware issues of some mobile devices. Of course, there are methods of extraction the crypt key from non-rooted devices, but these techniques can be applied to a limited number of devices.

If your client has the SIM-card used for the crypt key generation on the examined device, we can get a new key via reinstalling WhatsApp. The new key can be used to decrypt old databases.

The crypt key mining: a digital forensic examiner can try to recover the deleted key from the examined mobile device. Of course, you’ll need a physical image of the device. Extract strings and choose those with morphology similar to the crypt keys. Then try to use these keys to decrypt the encrypted databases you got.


The perspectives of decryption of encrypted WhatsApp databases without the crypt key


Nowadays there are no public solutions for decryption of encrypted WhatsApp databases without the crypt key.



Figure 3. Decrypted WhatsApp database (confidential information is not displayed)


In our opinion there are two main ways to solve the problem:

  • reverse engineering of WhatsApp code in order to understand the encryption algorithm. Very often the bugs in code allow the cell phone forensic expert to make development of decryption method much easier, or even find backdoors which help to decrypt the data very quick;
  • using mainframes or clouds to brute-force the crypt key. This technique shows very good results in password recovery and data decryption. Of course, it’s too expensive to use for WhatsApp databases decryption.

If you have any questions on WhatsApp databases decryption feel free to contact us using this form.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

  • Gajanan
    2018-04-04 at 8:06 AM

    very usfule

  • surya
    2018-06-26 at 7:58 AM

    i need more help, can u help me

  • 2018-09-04 at 12:33 AM

    Ok, i’ve cracked a google account and have downloadedd the crypt12 db file from the google drive but i dos’t have any access to the users phone also i need an other way to crack the database. I’ve a 2 gforce 1080ti graphic cards, can i use thier GPUs to crack the database or it’s impossible because it’s a to long time? I meen when i need to wait mor then one billion years it’s not a practicular way for a atac but what is with rainbow tables?

    And other quastion, have someone found any backdoors or exploits for the whatsapp algorytm?

  • Ronny
    2018-10-18 at 10:23 AM

    through which application your encrypted that less amount of whatsapp data? i know there isnt showing confidential info but msgs. How did you get that?

  • John
    2018-12-11 at 12:28 AM

    I’ve tried to extract WhatsApp Crypt Key from Android 7.0 WhatsApp 2.18.361 and it is not working. Apparently it is an issue with Android 7.

    I physically have the phone. Do you know of a method I can used, even if with paid software, to get the key file?

  • arsenio
    2018-12-28 at 6:07 AM

    “reverse engineering of WhatsApp code in order to understand the encryption algorithm.” the encryption algorithm used by WA is known (AES based). The only missing part is the access to the key generation algo that looks to be done on their servers. So two possibilities, they generate them in a deterministic way (get the salt and the algo running on their servers) or they are randomly generated… find a hole in their webservices to get keys without the sms/phonecall handshake

  • Ismail Noor
    2020-01-16 at 1:01 PM

    Any body help me on decrypting encrypted whatsapp database file without key ?

  • Jhon
    2020-03-26 at 12:15 AM
    Please read me
    I need help you

Leave a Response