Recently, ElcomSoft Co. Ltd. released a major update to Elcomsoft eXplorer for WhatsApp. Elcomsoft Explorer for WhatsApp 2.30 adds the ability to extract and decrypt WhatsApp stand-alone backups created by Android users in Google Drive. The tool obtains a WhatsApp cryptographic key by registering itself as a new device.
The decryption is possible with access to a verified phone number or SIM card, and requires authenticating into the user's Google account. A WhatsApp encryption key must be only obtained once, and can be used to access all previously created and all future backups for a given combination of Google Account and phone number. The tool provides automatic download and decryption for WhatsApp backups and comes with a built-in viewer.
Notably, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.
WhatsApp for Android: Not an Easy Target
For several years, WhatsApp has been encrypting its backup databases. Both stand-alone and cloud backups produced by the Android app and are securely protected with industry-standard AES256 encryption. The encryption key is generated by WhatsApp at the time of the first backup. The key is unique per account and per phone number. If the user has multiple WhatsApp accounts and only one Google Account, each WhatsApp account will use a unique encryption key.
The encryption keys are generated by WhatsApp servers; they are never stored in Google Drive. Extracting the encryption keys from a local Android may or may not be possible depending on the phone's root status and the version of Android it is running.
Making things even more complicated is the fact that the many versions of WhatsApp released during the last years are employing different encryption algorithms. This makes it difficult to build an all-in-one acquisition tool compatible with all versions of WhatsApp.
Elcomsoft Explorer for WhatsApp 2.30 gains the ability to download WhatsApp backups for Android devices directly from the user's Google account, retrieve cryptographic keys from WhatsApp servers and decrypt the content of WhatsApp backups including conversation histories and messages.
In order to obtain the encryption key from WhatsApp, access to the user's trusted phone number or SIM card is required. The authentication code is requested and delivered as a text message. Based on that authentication code, Elcomsoft Explorer for WhatsApp automatically creates a cryptographic key that will be used to decrypt all existing and future backups for a given combination of Google Account and phone number. In addition, the user's authentication credentials are required to log in to their Google Account.
If the expert does not have access to the user's SIM card or trusted phone number, Elcomsoft Explorer for WhatsApp can access contacts and media files (pictures and videos) the users send and receive with WhatsApp.
Step-by-step WhatsApp acquisition guide: https://blog.elcomsoft.com/2018/01/extract-and-decrypt-whatsapp-backups-from-google/
For more information, please visit https://www.elcomsoft.com/exwa.html