We have recently released a brand new product, Elcomsoft Explorer for WhatsApp. Targeted at home users and forensic experts along, this Windows-based, iOS-centric tool offers a bunch of extraction options for WhatsApp databases. Why the new tool, and how is it different from other extraction options offered by Elsomsoft’s mobile forensic tools? Before we move on to that, let’s have a look at the current state of WhatsApp.

What’s WhatsApp?

WhatsApp is one of the world’s most popular instant messengers. With more than 900 million active accounts, WhatsApp is the number one messenger in North America and parts of Europe. Recognizing its popularity, Facebook has paid $22 billion for the company.

WhatsApp has client apps on all popular mobile platforms including Android, iOS, Blackberry, the Nokia phones, Microsoft Windows Phone 8.x and Windows 10 Mobile, serving as an effective replacement for text and multimedia messaging and enabling true cross-platform communications on the go.

WhatsApp does not bill for each message sent or received. Other than the $1 yearly service fee, the cost of using WhatsApp is diminutive as the amount of Internet traffic it uses is very low.

WhatsApp is more secure than SMS, too. Unlike carrier-delivered text messages and MMS, WhatsApp communications cannot be intercepted or requested from the provider. Unlike Apple iMessages, WhatsApp is not tied to a single platform, serving as a perfect iMessage replacement for Android-iOS communications.

WhatsApp communication history is not reflected in the mobile service bill, and WhatsApp messages are not stored on carrier’s computers in case law enforcement officials need access to that information. WhatsApp messages fly directly between users’ devices, securely encrypted. Strict point-to-point messaging makes it impossible to intercept WhatsApp communications. Even breaking in to WhatsApp won’t help hackers steal someone’s communication history.

Due to its overwhelming popularity, WhatsApp quickly became a target for spammers, hoaxers and plain criminals of all kinds. The very fact that the messenger app is designed to use secure end-to-end communications makes it difficult for the police to investigate cases involving WhatsApp messaging. Since no logs are stored on carrier’s side, requesting WhatsApp history files from the mobile carrier or an Internet service provider is not possible. The only way to acquire WhatsApp histories is imaging end-user devices or pulling data from local or cloud backups. And that’s exactly what we do in Elcomsoft Explorer for WhatsApp.

Pulling WhatsApp Backups from the Cloud

We made Elcomsoft Explorer for WhatsApp to help legitimate WhatsApp users and mobile forensic experts access communication histories stored in the cloud or available in local iTunes backups. Elcomsoft Explorer for WhatsApp includes certain functionality from our dedicated mobile forensic tool, Elcomsoft Phone Breaker.

With Elcomsoft Explorer for WhatsApp, you can extract WhatsApp histories from the following sources:

• Extract from local iTunes backups (iOS). If you have an offline iOS backup file sitting on your computer, or if you can make the phone produce a backup via iTunes, Elcomsoft Explorer for WhatsApp can extract WhatsApp communication history from that backup. Encrypted backups can be automatically decrypted if you know the password.
• Download from Apple iCloud (iOS backups). If the option to make iCloud backups is activated on an iPhone, Elcomsoft Explorer for WhatsApp can connect to the user’s iCloud account and pull WhatsApp histories from iOS system backups. You won’t have to download the entire system backup, as Elcomsoft Explorer for WhatsApp will use selective access to only pull WhatsApp data. Apple ID and password are required. You can also use a binary authentication token (more on that later).
• Download from iCloud Drive (WhatsApp standalone backups). Even if iCloud backups are not enabled, WhatsApp can be configured to back up its database into the cloud. In this case, WhatsApp will produce a standalone backup in a proprietary format. Elcomsoft Explorer for WhatsApp can download and parse that backup from iCloud Drive (as usual, with either the user’s Apple ID/password or binary authentication token).

Yes, iOS 9, Too

Elcomsoft Explorer for WhatsApp can download iOS backups saved by devices running iOS 9. There have been a big change in the way these backups are stored (Apple moved them from iCloud to iCloud Drive), so you will need to install iCloud for Windows in order to obtain these backups.

iCloud for Windows Is Required

Using Elcomsoft Explorer for WhatsApp for downloading iOS backups from iCloud or retrieving WhatsApp standalone backups from iCloud Drive requires installing Apple’s iCloud for Windows. You can download and install iCloud for Windows from Apple’s Web site.

Since WhatsApp instances are unique per telephone number, a single Apple account may contain multiple WhatsApp backups, each for its own telephone number. Elcomsoft Explorer for WhatsApp will list and allow downloading all of them.

A Word on Binary Authentication Tokens

Just like Elcomsoft Phone Breaker, Elcomsoft Explorer for WhatsApp can connect to iCloud with either the user’s Apple ID and password or by using a binary authentication token extracted from the user’s computer (PC or Mac). However, we didn’t include the tools to pull the token file from the computer (or disk image) with Elcomsoft Explorer for WhatsApp. If you need a tool to obtain the token, please install Elcomsoft Phone Breaker and use token extraction tool bundled with that product. No worries, you won’t have to pay to use that tool as it’s available in the free evaluation version of Elcomsoft Phone Breaker.

Viewing WhatsApp Databases

Elcomsoft Explorer for WhatsApp comes with a built-in viewer that allows you to browser through the multiple WhatsApp databases you’ve extracted. The viewer comes with instant searching and filtering, allowing you to locate contacts, messages and pictures of interest of filtering conversations matching a certain criteria – such as containing a certain key word or falling within a certain date range.

Future Development

We are considering adding more features to Elcomsoft Explorer for WhatsApp to allow extracting WhatsApp histories from a wider range of devices. For now, the tool is limited to iOS, yet we want to add the ability to extract WhatsApp databases from Windows devices (Windows Phone 8.x and Windows 10 Mobile), BlackBerry backups and Android phones (via Google accounts). Stay tuned for more news!