Extracting WhatsApp Conversations from Android Smartphones

February 2nd, 2017 by Oleg Afonin

As you may already know, we’ve added Android support to our WhatsApp acquisition tool, Elcomsoft Explorer for WhatsApp. While the updated tool can now extract WhatsApp communication histories directly from Android smartphones with or without root access, how do you actually use it, and how does it work? In this blog post we’ll be looking into the technical detail and learn how to use the tool.

WhatsApp on Android

WhatsApp claims over a billion users. The company has client apps for all major mobile platforms including Android, iOS and Windows 10 Mobile, yet 73% of its user base are Android users. Elcomsoft Explorer for WhatsApp was an iOS exclusive for way too long. Now it’s time to go Android!

Extracting WhatsApp Communication History from Android Devices

WhatsApp employs peer-to-peer exchange of encrypted messages, making the man-in-the-middle attack unfeasible. The company does not keep a copy of those messages anywhere on its servers, which rules out direct cloud acquisition. WhatsApp encrypts its cloud backups, which makes acquisition far from trivial.

If root access is available, we can use root privileges to access and extract the working database. If you have root access, Elcomsoft Explorer for WhatsApp can extract and decrypt the WhatsApp database from pretty much every Android smartphone running Android 4.0 through the latest 7.1.1 (up to 6.0.1 without root access).

If root access is not available, WhatsApp acquisition options become even more limited. You could use manufacturer’s backup tool to back up the content of the device; image the device or use a custom recovery (in a case of unlocked bootloader) to extract device content. However, Elcomsoft Explorer for WhatsApp offer a safer and easier alternative by forcing ADB backup of WhatsApp data and decrypting that backup. This only works for Android devices running Android 4.0 through 6.0.1.

If You Have a Rooted Device

If your Android device has root access, or if you can obtain root access, you’ll be able to access the data without much of an issue. If this is the case, Elcomsoft Explorer for WhatsApp will extract the WhatsApp database from its protected location and make a temporary copy in publicly accessible /sdcard. The next step is copying the data to a PC where Elcomsoft Explorer for WhatsApp is installed. After that, the temporary files are deleted.

For Non-Rooted Devices

With no root access, direct extraction of WhatsApp data is not possible. One must then use a local WhatsApp backup to extract data. However, recent versions of WhatsApp encrypt their backups (or disable them completely).

Elcomsoft Explorer for WhatsApp employs a smart workaround for processing WhatsApp extraction on non-rooted devices. This is how it works.

Elcomsoft Explorer for WhatsApp downloads WhatsApp v.2.11.431 from the official Web site. WhatsApp 2.11.431 was the last version of WhatsApp without forced backup encryption.

  1. The tool downgrades existing WhatsApp installation to v.2.11.431.
  2. Once WhatsApp 2.11.431, Elcomsoft Explorer for WhatsApp makes a WhatsApp backup via ADB. Note: if device storage is encrypted, the ADB backup will require a password. Use “pass123” as a password.
  3. Once the backup is created, Elcomsoft Explorer for WhatsApp pulls backup data from the device and restores the original version of WhatsApp.

Extracting WhatsApp from Android: The How-To Guide

That’s all great, but what do you actually do to extract a WhatsApp database from an Android smartphone? Since most Android devices don’t have root installed, we’ll put the most common scenario first.

Connect your Android smartphone to the PC. The smartphone can be isolated in a Faraday bag and/or put to Airplane mode.

  1. In Elcomsoft Explorer for WhatsApp, use “Load from Device”. The tool will display step-by-step instructions you’ll have to follow on the phone. You’ll need to unlock the device, enable Developer Options and turn on ADB Debugging.
  2. Elcomsoft Explorer for WhatsApp will display the list of connected devices (considering that you have the correct drivers installed and ADB Debugging enabled).
  3. Select the Android phone you are about to process. Elcomsoft Explorer for WhatsApp will display information about the device.
  4. Click “Load data” to begin the extraction.
    Note: once the “Forcing backup…” message appears you will need to confirm a backup prompt on the Android device.
  5. Elcomsoft Explorer for WhatsApp will automatically import and display the data including Calls, Messages, Media and Contacts.

Load from Local Storage

Elcomsoft Explorer for WhatsApp supports WhatsApp data extracted from Android devices in other ways (e.g. by booting into a custom recovery, imaging the device or performing chip-off acquisition). In this case, use the “Load from local storage command”.

In order for Elcomsoft Explorer for WhatsApp to process external data, make sure to preserve the original data structure of WhatsApp backups. Broken or incomplete data sets may not be imported. You will need to specify path to com.whatsapp_preferences.xml extracted from WhatsApp sandboxed data as well as path to its “media” folder (extracted from the SD card).

 

 

After that, you’ll be able to access the messages, contacts, call information and media files.

 

 

Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Leave a Reply

18 Comments on "Extracting WhatsApp Conversations from Android Smartphones"

Notify of
avatar
Sam
Guest

“The company does not keep a copy of those messages anywhere on its servers, which rules out direct cloud acquisition. WhatsApp encrypts its cloud backups, which makes acquisition far from trivial.”

Are you referring to Google Drive / iCloud backups being encrypted? They’re certainly not encrypted; they’re stored in plaintext!

Vladimir Katalov
Admin
Vladimir Katalov

Sam,

In fact, WhatsApp backups on Google Drive are encrypted — about the same way as backups on the local storage or SD card. Unique key (generated when you activate backup) is being used; it can be obtained from the device (not so hard if device is rooted), or passing the activation again. One can only get *.cryptX (usually .crypt10) files from Google Drive.

In iOS, encrypion (of all data but media files) is being used since some recent version of WhatsApp (and only on iOS 10, it seems).

Larry
Guest

Does this also apply to other messengers such as e.g. WhisperSystems’ “Signal” on un/-rooted devices? Thanks.

Larry
Guest

* I forgot to include: un-/encrypted (Android) devices and if not yet – how likely to happen in the (near) future?

Vladimir Katalov
Admin
Vladimir Katalov

Sorry, not sure that I understand the question. Do you mean disk/file encryption on the device, or the passcode lock? In order to get our software to work, you need to have access to the phone (and enable USB debugging in developer options).

Larry
Guest
Thanks for the prompt reply Vladimir. I guess my underlying question is regarding the Achilles heel of messengers promising to provide security and protect one’s privacy. And as WhatsApp uses code from Moxie Marlinspike (Signal) I was wondering whether Signal data would be as “easily” accessible; and this for e.g. a rooted Android device with the latest OS updates with and without device encryption enabled. And yes, let’s say there is physical access to the phone but a long enough passcode to open/run Signal is present as a 2nd barrier once you’re past the device lock. I think one could… Read more »
Vladimir Katalov
Admin
Vladimir Katalov

Larry,

To be honest, we did not analyse Signal on Android yet, but on iOS platform it is definitely the best (most secure) messenger.

Vladimir Katalov
Admin
Vladimir Katalov

Not yet, sorry.

Larry
Guest

Thank you very much, Vladimir.

Goi
Guest

Are you able to downgrade Whatsapp to 2.11.431 on Android 7 devices? On a Google Pixel running 7.1.2 I get INSTALL_FAILED_VERSION_DOWNGRADE even after using adb install -d option.

Vladimir Katalov
Admin
Vladimir Katalov

Not yet, but working on that!

Raj
Guest

how can i decrypt .db whatsapp mesages that stored in windows phone?. Pls help me out/

Vladimir Katalov
Admin
Vladimir Katalov

Sorry, we can deal with WhatsApp backups only from iOS and Android at this time.

Ulrich
Guest

com.whatsapp_preferences.xml does not exist in my Whats-App folder: WhatsApp/Databases
Where to find it?

Vladimir Katalov
Admin
Vladimir Katalov

That file is located not in WhatApp/Databases (on SD card), but in whatsapp/shared_prefs (in the sandbox), and so accessible on rooted devices only.

Gauravkumar Shekhat
Guest
Gauravkumar Shekhat

hi, I am digital evidence examiner, working in Private company.
My company support local law-enforcement. I am using the same trick using ABD scripts and it works well for all OS but for android 7 it doesn’t work. Application degradation is not work in android 7 as of my knowledge.

Is this software work in samsung galaxy s8+ (Android 7.0) mobile phone?

Vladimir Katalov
Admin
Vladimir Katalov

No, we have no Android 7 support yet, but working on that!

Arnau
Guest

Did u found any solution to this problem? I’m currently working on this.

wpDiscuz