Extracting WhatsApp database and the cipher key from a non-rooted Android device
WhatsApp Messenger is a popular cross-platform mobile messaging app which allows users to exchange free messages. Of course, such messages could contain lots of case-relevant data.
This messenger stores data in SQLite databases. There are two most important databases from a forensic point of view: wa.db and msgstore.db. The first one contains information about contacts, the second – about messages.
Very often a digital forensic examiner can find msgstore files on an Android device’s SD card, but not with db extension, but with, for example, crypt6, crypt7 or crypt8. These are encrypted msgstore backup files.
Of course, if you are examining a rooted device it’s not a problem: you can easily extract the cipher key and the most recent unencrypted msgstore database. But what if the device is non-rooted?
There is a solution! WhatsApp Key/DB Extractor is a tool developed by Abinash Bishoyi which allows a digital forensic examiner to extract the cipher key on non-rooted Android devices. What is more, the script also extracts the latest unencrypted WhatsApp Message Database (msgstore.db) and Contacts Database (wa.db). It’s important to note that WhatsApp Key/DB Extractor supports Android devices with Android 4.0 or higher.
To run the script you can use your favorite operating system: it supports Windows, Mac OS X and Linux. Make sure USB debugging is enabled on the device being examined and Android Debug Bridge drivers are installed.
Start from downloading the archive with the tool, use this link. Unpack the downloaded archive. If you are using Windows – run WhatsAppKeyExtract.bat, else – ./WhatsAppKeyExtract.sh.
In this example we are using a workstation with Mac OS X and an mobile device with Android 5.0.1. We run the WhatsAppKeyExtract.sh script: it downloads and installs to the device’s temporary folder WhatsApp 2.11.431 (fig. 1).
Figure 1. Running WhatsAppKeyExtract.sh script
Now the script is ready to extract the cipher key and the most recent Contacts and Message unencrypted databases. To do it, a forensic examiner should unlock the device and confirm the backup operation (fig. 2).
Figure 2. The script has successfully finished the task
The script copies the cipher key file and two unencrypted databases – wa and msgstore. Also it updates WhatsApp’s version to the original one. Now an examiner can use the cipher key to decrypt databases, for example, found on device’s SD card.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics