With over 1.3 billion monthly users, WhatsApp is the most popular instant messaging tool worldwide, and Android is the most popular mobile operating system by far. This makes WhatsApp acquisition from Android devices essential for the law enforcement. Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive. If you have access to the user’s trusted phone number or their physical SIM card (to receive a verification code from WhatsApp), you can now use Elcomsoft Explorer for WhatsApp to download, decrypt and display WhatsApp communication histories backed up into the user’s Google Account. Surprisingly, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.
All recent versions of WhatsApp encrypt their backups with a cryptographic key unique per WhatsApp account. Without access to that cryptographic key, the only things Elcomsoft Explorer for WhatsApp could extract from the user’s Google Account are contacts and media files sent and received by the WhatsApp user. The main communication history is securely encrypted with AES-256. To make things even more complicated, the different builds of WhatsApp were using different encryption algorithms, making an all-in-one decryption tool a bit complicated to build. Elcomsoft Explorer for WhatsApp 2.30 solves all of these issues by automatically downloading and decrypting the backup from the user’s Google Account. The cryptographic key is generated automatically based on the authentication code received as a text message and delivered to the user’s trusted phone number.
In order to download and decrypt Android users’ WhatsApp communication histories, you will need all of the following:
The Android version of WhatsApp can back up its communication history into the user’s Google Account, particularly the Google Drive. While WhatsApp does not encrypt media files (pictures and videos) sent and received by its users (making it possible for Elcomsoft Explorer for WhatsApp to extract them even without the cryptographic key), the main communication history, the actual messages, is securely encrypted with an AES-256 based encryption algorithm. The exact algorithm depends on the version of WhatsApp, but one thing is for certain: it simply isn’t possible to decrypt the data without the key.
The encryption/decryption key is generated by WhatsApp servers the first time the user makes a backup. The key is never stored in the cloud; instead, it is only kept on the device. Whether or not the key can be extracted from the device depends on the version of Android and device’s root status; we won’t touch this issue here and point you to this article instead.
However, it is possible to generate that key based on the user’s WhatsApp ID (their phone number). The newly generated encryption key will exactly match the key that was used to make all of the user’s previous backups in their Google Account; moreover, this very same key will be used for all future WhatsApp backups of that user created in their Google Account. In other words, you just need to generate the key once, and can used it indefinitely to obtain past, present and future backups.
Permanent decryption key: The decryption key received by Elcomsoft Explorer for WhatsApp is permanent and does not change if the user changes their Google Account password. The decryption key remains valid even after re-authenticating WhatsApp on a different device provided that the the same phone number and Google Account are used. The same key can be used to decrypt older backups created before the key was retrieved.
In order to generate the cryptographic key, Elcomsoft Explorer for WhatsApp attempts to register itself as a WhatsApp application. Once the tool sends the authentication request to the WhatsApp server, the server sends a verification code to the user’s registered phone number. This code must be entered to Elcomsoft Explorer for WhatsApp in order to generate the cryptographic key.
Note: Since WhatsApp is restricted to only running on a single device, receiving an authentication key deactivates the user’s existing WhatsApp instance. The user’s Android phone will no longer be able to send or receive WhatsApp messages after transferring WhatsApp registration to Elcomsoft Explorer for WhatsApp unless the user re-authenticates it again on their device. However, even after re-authentication, the cryptographic key will remain valid and usable.
Follow these steps to extract a WhatsApp backup from the user’s Google Account.
WhatsApp remains one of the most reliable instant messaging services. Based on Whisper Systems communication protocols, its point-to-point communications remain securely protected even if someone manages to intercept them. Cloud backups remain one of the few vectors of attack allowing to remotely access WhatsApp communication history. If you have cloud backups enabled in WhatsApp and your phone is suddenly deregistered from your WhatsApp account, watch out as someone could have accessed your data. As always, we recommend activating two-factor authentication to protect your Google Account.
Elcomsoft Explorer for WhatsApp is a tool to download, decrypt and display WhatsApp communication histories. The tool automatically acquires WhatsApp databases from one or multiple sources, processes information and displays contacts, messages, call history and pictures sent and received. The built-in viewer offers convenient searching and filtering, and allows viewing multiple WhatsApp databases extracted from various sources.
Elcomsoft Explorer for WhatsApp official web page & downloads »