We all love messaging and using IMs on our smartphones to stay in touch with our friends and family. We use various mobile apps like WhatsApp to IM without having to pay for SMS and this lead to the popularity of this famous app. WhatsApp is a cross-platform mobile messaging app which can auto sync to the phone address book, allow unlimited message length and also allows you to share multimedia like videos, location, images, etc… Thus, WhatsApp can be an important tool in obtaining data to a forensic analyst.

And guess what the best part is? You do not have to root your phone.

Before we start, we need the following set of tools to perform the tutorial:

  1. An android mobile device with WhatsApp installed.
  2. USB data cable
  3. Mobile phone drivers (You may find one in the CD which came with the handset or you could also find it online)
  4. WhatsApp_Xtract_v2.0 ( code.google.com/p/hotoloti/downloads/detail?name=Whatsapp_Xtract_v2.0_2012-05-02.zip&can=2&q= )
  5. Any file browser (manager) for android (Such as Astro or Rhythm file manager)
  6. Python for windows, which you can download from: http://www.activestate.com/activepython/downloads

Where to look for the data?

WhatsApp stores all data in a SQLite database. Since it is a cross-platform app for mobile devices, the location of the database varies from OS to OS.

However, on Android, you will generally find the database stored on the SD card in an encrypted format.

WhatsApp database encryption is a project of D. Cortjens, A.Spruyt, and W.F.C Wieringa. There is a vulnerability in the android implementation of AES cipher. The 192-bit key can be detected or cracked using both static and active analysis. If you are interested about the encryption project refer to the following PDF file: http://tinyurl.com/c4a8dcw

Ok so now let’s hunt for the encrypted database file. Launch your favorite file manager and navigate to “/mnt/sdcard/Whatsapp/”. Now, you will see two files named as msgstore followed by a date (for example, msgstore-2011-02-11.db.crypt and msgstore.db.crypt).

Now it is advisable to copy the two files somewhere else, for example: /ext/temporary/.

How to use?

Now connect your android device to the computer with the help of the USB cable. Make sure that you have already installed the required drivers for your device before connecting and your device is in “Mass storage mode”.

Install python on your machine from the given URL (see above).

Once the file (Whatsapp_Xtract) is downloaded, extract the contents of the file to your computer like “C:/test/” and run the pyCrypto.bat given in the directory “C:/test/”. Whatsapp_Xtract requires python framework and the crypto library to show off its charm.

Now copy the contents (i.e the two db.crypt files) to the folder “C:/what/” from your android mobile device. Now it’s time for fun, run the whatsapp_xtract_android.bat file or the whatsapp_xtract_android_crypted.bat file and you will get the output of all the chats, numbers, smiles, etc… in a HTML file format.

Or you can manually run the commands:

python whatsapp_xtract.py -imsgstore.db -w wa.db

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics

OR (if wa.db is unavailable)

python whatsapp_xtract.py -imsgstore.db

OR (for crypteddb)

python whatsapp_xtract.py -imsgstore.db.crypt

For root android users:

A good news awaits you super users, you do not have to go through the above tedious steps in order to obtain the data.

If you have a rooted device, you can easily reach plain databases by going to: (data/data/com.whatsapp/databases/msgstore.db and wa.db)

What else to look for?

What else can you possibly look for? How about images and log files?

Let’s begin, shall we? Use your file manager to navigate to “/mnt/sdcard/WhatsApp/Profile Pictures/”

Here you can see the profile pictures of the other users which were viewed by the owner of the WhatsApp account recently. WhatsApp stores offline images of users profile pictures once they are viewed by their friends to the androids local directory making it accessible to anyone using the mobile.

Now let’s take a look at the log shall we?

Navigate your file manager to “/mnt/sdcard/WhatsApp/” and copy the logs.zip file to your computer. Use a compressed file extraction tool like WinRAR to decompress the files. You will see a text file with the nameWhatsApp followed by a date. This file contains every detail regarding your file space, phone numbers of your friends, timestamps, WiFi state, APN settings, etc…

References: