Forums
Main Category
General (Technical,...
anyone decrypt cryp...
 
Notifications
Clear all

anyone decrypt crypt8 whatsapp file?

 
Page 2 / 3
General (Technical, Procedural, Software, Hardware etc.)
Last Post by shezzar 9 years ago
23 Posts
9 Users
0 Reactions
3,250 Views
RSS
 harshbehl
(@harshbehl)
Trusted Member
Joined: 11 years ago
Posts: 67
08/01/2015 1:46 am  

Hi Kbertens
Thanks a lot for the reply. Can you share your email id ? You can mail me at harsh_behl@live.com


   
ReplyQuote
 harshbehl
(@harshbehl)
Trusted Member
Joined: 11 years ago
Posts: 67
08/01/2015 1:56 am  

Droopy
I will surely have a look. Can you suggest one that can work with USB debugging enabled and an unrooted phone ??


   
ReplyQuote
 droopy
(@droopy)
Estimable Member
Joined: 11 years ago
Posts: 136
08/01/2015 3:23 am  

Sure use www.andriller.com
Is free for 30 days, you could buy it or use the cracked version free.


   
ReplyQuote
 harshbehl
(@harshbehl)
Trusted Member
Joined: 11 years ago
Posts: 67
08/01/2015 10:23 am  

Droopie thanks for the recommendation.
but I am very sorry for the incorrect information as the phone is not usb debugging enabled. The usb debbuging is disabled. As I know that if it was enabled there were several ways.


   
ReplyQuote
 mark_adp
(@mark_adp)
Trusted Member
Joined: 13 years ago
Posts: 63
08/01/2015 10:47 am  

Hey,

The key is *usually* stored in /data/data/com.whatsapp/files/key

The encryption method used in crypt8 is AES with a 256bit key and a 128bit Initialisation Vector (IV)

Offsets are here

Offset 0x6E size 0x10 (IV 128bit)
Offset 0x7E size 0x20 (AES Key 256bit)

If you want to decrypt the data yourself you can do using these keys. You'll need to remove some header data from the crypt8 file and use openssl to decrypt.


   
ReplyQuote
 harshbehl
(@harshbehl)
Trusted Member
Joined: 11 years ago
Posts: 67
08/01/2015 11:33 am  

The password (password.key) or pattern (gesture.key) file is in the userdata partition.
Depends on your case but it is possible to replace the recovery partition with a custom build one, mount the userdata partition and remove these keys.
With the files removed you can access the device. Maybe not the best forensic solution, but it works.
So you have a copy of the data on the SD card but no copy of the phone?

YES. I only have the copy of the SD Card. Kindly reply.


   
ReplyQuote
 shezzar
(@shezzar)
Active Member
Joined: 13 years ago
Posts: 10
09/08/2016 2:48 pm  

Hi

I too have the same challenges as harshbehl. Have imaged a laptop and noted it contained crypt8 whatsapp database. However, we do not have the suspect's phone. Hope can provide some insight and help on this.

Much appreciated.

//SheZZaR


   
ReplyQuote
 droopy
(@droopy)
Estimable Member
Joined: 11 years ago
Posts: 136
10/08/2016 8:21 pm  

Without the key, is difficult.

If you are goverment based forensic, you will need to know real phone number and create a new registration and redirect the new registration reply digits by ss7 interception to the new sim to register.
Not easy for average forensic.

Cracking the key needs a supercomputer access and it is also expensive.

I have decompiled whatsapp to plain source code and key is generated using phone number (maybe on next updates they added an imei or device fixed key)


   
ReplyQuote
 Belkasoft
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
11/08/2016 2:12 am  

Belkasoft Evidence Center (https://belkasoft.com/ec) can do that. Free 1-month trial is available on our site.


   
ReplyQuote
RolfGutmann
 RolfGutmann
(@rolfgutmann)
Noble Member
Joined: 10 years ago
Posts: 1185
11/08/2016 4:44 am  

@droopy - SS7 LI, is AnyTimeInterrogation required? Some operators actually block this cmd


   
ReplyQuote
Page 2 / 3
Forum Jump:
  Previous Topic
Next Topic  
Share: