How To Decrypt WhatsApp Messages With Oxygen Forensic Detective

Welcome to Oxygen Forensic Detective’s Knowledge Nuggets. In this video we’re going to discuss decrypting WhatsApp messaging.

Let’s go over a few very important points that you need to consider before analyzing WhatsApp. 

Number one: always place the device in airplane mode. This is important for many reasons, but the reason specific to WhatsApp is [that] during the extraction of WhatsApp, iCloud backup or Google Drive backup or the WhatsApp cloud, entering the phone verification code will disable the previous WhatsApp installation. The application on the device will then lose its verified status.

Number two: pay close attention to the last date WhatsApp was used. If the extraction is attempted after 45 days from the last time [the] WhatsApp account was online, all of the account data will automatically be wiped from servers and the account will be removed from all group chats it participated in.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Number three: disable the two-step verification if you can. 

Number four: decryption and the sender. WhatsApp cloud relies on the original sender’s devices to decrypt messages with end-to-end encryption. Thus, some messages may take hours or days to be decrypted, so you may want to do an additional extraction a few days from the first time you did it. 

Number five: always check for backups. If you receive a device with WhatsApp, but there’s no data, keep looking, your suspect may have deleted what was visible to you, but there may be backups. So check for Google backups, iCloud backups and the WhatsApp cloud backup itself.

The first way to extract data from WhatsApp is to do so by extracting the device with Detective. If the device with WhatsApp can be unlocked, check the status of the two-step verification, look in the settings and disable it if it’s enabled. 

If the device with WhatsApp can be unlocked, check if the messages are intact. If data was not wiped by the device owner, make a new cloud backup of the account manually. Switch the device to airplane mode, and make a record of the current date and time. 

If the device acquisition is possible, extract WhatsApp data directly from the device. 

Let’s say I’ve gone ahead and backed up my WhatsApp messages. My next step would be to extract the device. So let’s look and see what the results look like. 

We have WhatsApp Business, Messenger, and we already have some backups in this device. Here we can see account information, all contacts, our chats, any group chats, and additional information. 

Now let’s use our Cloud Extractor to extract additional data. Navigate to your backups, msgmessagestore.db. This is a database containing your messages and it’s encrypted, so you’ll need your token.

We can use our phone number or the cloud token. If you don’t have the token, use the phone number, but remember when you do this, you will be logged out of the WhatsApp account on the device, so make sure you have that extraction first. Keep in mind you’re going to need to turn airplane mode off so you can get the SMS from WhatsApp. 

Since we have selected the authentication type to be with SMS, it will send us a code or it can make a phone call. Here we can see, since I have made this request too many times today, I’ll have to go back and request the phone call. And I’ve just received notification that I’ve been logged out of my WhatsApp account on the device itself. 

Now we can open the WhatsApp backup and Oxygen Forensic Detective, and see how it parsed. Now that this database has been decrypted and parsed, you can see the information that’s available.

Now that we’ve decrypted some backup files, and you see just how easy it is to grab a token or authenticate through SMS, let’s walk through a new extraction. Here we’re going to use the cloud extractor to pull down all backups possible. 

Let’s go into the device first. Find all the credentials that we can, parsed from the device, and we’re going to input them here. Click on ‘New extraction’ and choose the WhatsApp application.

We’re going to select all and start with our username and password.

Next we’ll upload a key file. This key file will authenticate your WhatsApp Google backup. You can find this file in the following file path in an Android. If you’ve extracted the device information and you’ve navigated in the file section to find this key, save it out to your desktop so it’s easy to find, and import it here.

Put the phone number in. Remember that once it authenticates here with the phone number, you will no longer be able to access the account within the device. Meaning, if you authenticate using the phone number first, you will be kicked out of the device before you can authenticate with the QR code, and vice versa. And if you have a token, place it here.

Once this carries over to Detective, you can now see your entire WhatsApp account parsed. For more information on Oxygen Forensic Detective and for training opportunities, please contact us.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...