ElcomSoft blog

«…Everything you wanted to know about password recovery, data decryption,
mobile & cloud forensics…»


WhatsApp Business Acquisition Guide

May 29th, 2018 by Oleg Afonin
  • 3
  •  
  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    5
    Shares

Starting with version 2.40, Elcomsoft Extractor for WhatsApp supports physical and cloud acquisition of WhatsApp Business. The physical extraction method requires root access, while cloud acquisition requires authenticating into the user’s Google Drive account with proper authentication credential. In addition, a verification code received from WhatsApp as an SMS must be provided to decrypt the backup downloaded from Google Drive. In this guide, we’ll describe all the steps required to perform physical and cloud acquisition of WhatsApp Business.

WhatsApp Business Physical Extraction

Exclusively available to Android users, WhatsApp Business is an app offering a number of features aimed at small business owners. The free Android app allows businesses interact with their customers by using a number of automation tools to quickly find and respond to messages. With more than 10 million installations from to Google Play Store, WhatsApp Business has definitely gained traction with its customers.

It is important to note that WhatsApp Business is a separate app, and can run alongside with the regular WhatsApp app. However, unless the user has a dual-SIM phone and configures the two WhatsApp apps to use different phone numbers, only one of the apps can be active. If the user has a phone with a single SIM card, activating WhatsApp Business on that phone number will automatically deactivate the regular app, and vice versa.

WhatsApp is renowned for its security, and this tradition continues with the Business app. Compared to the ‘normal’ WhatsApp, the Business app has a different protection scheme that rules out physical acquisition from Android devices without root access. For this reason, Elcomsoft Extractor for WhatsApp must utilize root access in order to extract WhatsApp Business working database. As a result, a rooted Android phone is the required pre-requisite for physical extraction.

In order to extract information from a rooted device, perform the following steps.

  1. Enable USB Debugging on the Android device you are about to acquire. This may require unlocking the device and, depending on the Android version, entering the passcode. If USB Debugging is already enabled, skip this step.
  2. Connect the phone to the computer and make sure that an ADB link is established. You may verify it by running the “adb devices” command from the command prompt. You may be prompted to confirm the ADB link prompt on the phone, which again will require unlocking the device. Once “adb devices” returns the list of devices attached, you’re good to go.
  3. Launch Elcomsoft Extractor for WhatsApp 2.40 or newer.
  4. Select Android > Load from Device.Note: if you receive the “Java not installed” warning, you’ll have to download and install the Java package from Oracle.
  5. EXWA will check if the device is connected.
  6. If the device is connected and USB debugging is authorized, you will see information about the device. Click Load data to continue.
  7. The data will be first copied from the private sandbox to common storage.
  8. The data will be pulled to your computer. This may take a while depending on the amount of media files being extracted.
  9. Once the process is complete, the backup will appear in the list of available sources.
  10. Click on a backup to view its contents.
  11. You now have access to the entire WhatsApp working database including conversations, pictures, videos, history logs and contacts.

WhatsApp Business Cloud Extraction from Google Drive

In the majority of cases you’re likely to deal with Android phones that don’t have root access installed. Unless it’s an old handset with a known vulnerability, or it has its bootloader unlocked, rooting the phone may be difficult or unfeasible. For these situations, we developed a solution allowing you to extract WhatsApp Business data from a Google Drive backup. Quite obviously, you’ll need to authenticate into the user’s Google Account in order to download the backup. However, that’s not the end of it.

WhatsApp and WhatsApp Business encrypt their Google Drive backups (everything except media, which is available in plain form) with a key that is impossible to obtain from the device without root access. The encryption key is also held on WhatsApp servers, and is normally used when the user restores their cloud backup on a new device. Notably, Google Drive backups contain somewhat less information compared to what is available through physical extraction.

Elcomsoft Extractor for WhatsApp can register as a new WhatsApp Business client and obtain the encryption key from the server. In order to register as a WhatsApp Business client, the tool requests a one-time code received as an SMS from WhatsApp; you will be required to enter that code into Elcomsoft Extractor for WhatsApp to confirm registration.

Below are the steps to perform cloud acquisition of WhatsApp Business.

  1. Launch Elcomsoft Extractor for WhatsApp 2.40 or newer
  2. Select Android > Download from Google Drive
  3. Provide the user’s Google ID and the password as shown below. If the account is protected with Two-Factor Authentication, you will be prompted to complete the secondary authentication step. Elcomsoft Extractor for WhatsApp supports all current 2FA methods provided by Google including backup codes, Google Prompt, the Authenticator app, FIDO keys, and more.
  4. If authentication is successful, you will be presented with the list of available backups. If there is no data available, you may need to create a fresh backup. You can do this by unlocking the phone, launching the WhatsApp Business app and tapping Settings > Chats > Chat backup. Enable backups in Google Drive settings below and tap the green BACK UP button.
  5. Select one or more backups and click Download.
  6. Elcomsoft Extractor for WhatsApp will download the backup(s).
  7. Since WhatsApp Business always encrypts conversations but not the media, you will be presented with a choice. You may simply open the already downloaded backup, in which case you’ll only be able to access the contacts and media files (pictures and videos, if available). Alternatively, you can try to decrypt the backup, in which case you’ll gain access to the user’s histories and conversations as well.
  8. In order to obtain the decryption key, Elcomsoft Extractor for WhatsApp must register itself as a new WhatsApp Business client. You will be required to enter a one-time code received from WhatsApp to the user’s registered phone number (SIM card). Click “Request code” to request an SMS with a one-time code. Once the code is delivered, enter it into the window below and click “Decrypt”.
  9. In a few moments, the backup will be decrypted. You will be able to access the entire content of the backup.

  • 3
  •  
  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    5
    Shares

Tags: , , , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

Comments are closed.