"WhatsApp is by far the most popular instant messaging tool in North America and most of Europe", says Vladimir Katalov, ElcomSoft CEO. "By adding Android support to our acquisition tool, we have now covered the majority of use cases, allowing investigators obtain WhatsApp communication histories from both Apple and Android smartphones."
Background
Despite recent discoveries regarding the security of WhatsApp Signal Protocol, the app’s end-to-end message delivery still remains secure. This is especially so when it comes to messages that were already delivered. WhatsApp securely encrypts all communications, backups and databases. WhatsApp does not keep communication histories on their servers, making them unavailable to hacker attacks. For the same reason, government requests result in very limited data. As a result, acquisition is only possible from physical devices, iOS system backups or proprietary WhatsApp backups.
Extracting and Decrypting WhatsApp Databases from Android Devices
Extracting WhatsApp databases is now possible from Android devices. WhatsApp securely encrypts its databases. The cryptographic key required to decrypt the database is securely stored in a protected area. Extracting the decryption key from an Android device would generally require root access, custom recovery (TWRP, CWM or similar) or unencrypted image of the device. If root access or unencrypted image are available, Elcomsoft eXplorer for WhatsApp can extract and decrypt WhatsApp databases from all Android handsets running Android 4.0 through 7.1.1.
If root access is not available and physical imaging of the device is not possible due to full-disk encryption, the task of extracting a cryptographic key required to decrypt the database becomes significantly more complicated. If this is the case, Elcomsoft eXplorer for WhatsApp employs an advanced acquisition method that pushes an ElcomSoft extraction tool onto the device. The tool gains access to the WhatsApp decryption key and returns it to decrypt the database. The non-root acquisition method is available for Android handsets running Android 4.0 through 6.0.1.
Elcomsoft eXplorer for WhatsApp is an all-in-one tool for acquiring, extracting and viewing WhatsApp communication histories. Supporting a wide range of acquisition options, Elcomsoft eXplorer for WhatsApp can extract WhatsApp data from local iTunes backups, retrieve WhatsApp databases from iCloud backups and download stand-alone WhatsApp backups from Apple iCloud Drive. Version 2.0 gained the ability to extract WhatsApp communication histories from most rooted and non-rooted Android devices. Cloud acquisition requires entering the correct authentication credentials (Apple ID and password). Encrypted backups can be decrypted automatically once the correct password is supplied.
The built-in viewer offers convenient access to contacts, messages and pictures sent and received during conversations. Multiple WhatsApp databases can be analyzed at the same time. Searching and filtering make it easy locating individual messages or finding communication sessions that occurred over a certain date range.
Pricing and Availability
The Home edition of Elcomsoft eXplorer for WhatsApp is immediately available. The advanced Forensic edition with additional acquisition and filtering options is in the plans. Elcomsoft eXplorer for WhatsApp Home is available to North American customers for $79. Pricing for the upcoming Forensic edition is to be announced. Local pricing may vary.
System Requirements
Elcomsoft eXplorer for WhatsApp supports Windows Vista, Windows 7, 8, 8.1, and Windows 10 as well as Windows 2003, 2008 and 2012 Server.