±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34287
New Yesterday: 6 Visitors: 236

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

WhatsApp Theory

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 

Re: WhatsApp Theory

Post Posted: Sun Jul 15, 2018 10:50 pm

Sounds like heartache 101

- edigama25
if the device is locked with a passcode/encrypted boot and you do not have the password? you can do nothing.
but if you have mtp acces to the device you can copy all the whatsapp folder to a PC then from a PC to a rooted device. install whatsapp on that device and activate it as you would do a normal whatsapp(you will need the sim card or access to a phone with that specific phone number for this ). and after activation extract as you normally would.

Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 

Senior Member

Re: WhatsApp Theory

Post Posted: Mon Jul 16, 2018 1:08 am

maybe but that is the only option i can think of that will give me at the end a whatsaap messages. any other ideas besides taking ton of screenshots?  


Re: WhatsApp Theory

Post Posted: Mon Jul 16, 2018 8:01 am

Please , describe EXACT status of the phone.
According to POST1, if you could take screenshots, seems you have access to device.

In order to give you best option, we need to know exactly how the device is.  

Senior Member

Re: WhatsApp Theory

Post Posted: Mon Jul 16, 2018 8:35 am

- jaclaz
- passcodeunlock
How do you save the encrypted database from a non-rooted device ?! How do you save already deleted data from a non-rooted device ?!

When creating a WhatsApp backup and restoring to another device to do what you say, you will be missing a lot of timing and logs related data, which are stored on the original device only. This means data integrity issue, forensically your way is void.

Isn't anyway that the same "missing" data if you adopt the screenshooting or scrolling video recording approach? Question

No, it is not the same, try it yourself. What if the device owner uses more then a single WhatsApp account ? With access to the device you can recover more data from WhatsApp, then from a backup, since that will hold the data only for the current WhastApp user.

All I try to suggest is that the right way for this task is creating a physical dump and analyzing that.

Maybe I'm just picky, but life proves me right most of the time Smile
With a little luck, I can access Android userdata partitions from binary dumps. Full dump is required, physical access to the device helps a lot, but it is optional. 

Senior Member

Re: WhatsApp Theory

Post Posted: Mon Jul 16, 2018 9:37 am

One potential collection method (Phone to Cloud to Windows Workstation):

1) Install WhatsApp desktop version to a forensic collection workstation: www.whatsapp.com/download/

2) Enter the target WhatsApp userID and password into the newly installed WhatsApp desktop installation.

3) Synchronize the WhatsApp version running on one's forensic workstation.

4) Collect data from the WhatsApp folder on the forensic workstation

When I used this technique in the past on a Mac OSX computer, the WhatsApp data I downloaded to the Mac was NOT encrypted.  

Senior Member

Page 2 of 2
Go to page Previous  1, 2