Hello, everyone,
I just navigated through last one year topics over Mobile subforum, but I could not find an exact answer.
I worked with Cellebrite 4PC and PA for acquisition and analysis, but now I do not have enough resources to buy it (No until I sell some other project).
I'm looking for an open source or low cost solution for mobile acquisition and analysis.
I made a test with Magnet Acquire, that allowed me only "Quick Acquisition" for a Xiaomi Mi6 running Android 8. Same way, it should allow me only a "Quick Acquisition" for iPhone 5 running iOS 10.3.3. I understand that I'll get "Full Acquisition" only for Rooted/Jailbroken devices (please, tell me if I'm mistaken), situation not so common in a daily investigation.
Same way, I just analyzed it with Magnet AXIOM, through a trial license kindly delivered by a Magnet Forensics account manager, but I could not find Apps installation or WhatsApp messages maybe due the allowed acquisition method (Quick, only).
Can anyone of you suggest other tools that will allow me to acquire and see WhatsApp, Messenger and other chat content (this is the biggest concern), as well as installed Apps?
I remember that it worked fine in my previous experience with Cellebrite 4PC using the "Full File System" acquisition.
I tried Andriller, that did not work fine because I could not find the "key" file for WhatsApp.
Thank you!
You are not able decrypt whatsapp databases without the key file.
You need to have physical image of rooted device or at least file system dump in order to get access to apps databases like messenger chats.
For analyze you can try Autopsy - open source forensics tool
Jsmacedo, have you tried Oxygen Forensic Detective?
The software will allow you to extract WhatsApp data from Apple iOS devices via logical method and from Android devices via various physical methods.
Moreover, with the built-in Cloud Extractor, you can access WhatsApp backups in iCloud and Google Drive. We also offer an exclusive opportunity to extract certain WhatsApp data directly from the WhatsApp Server.
As for the WhatsApp backups decryption, the software can extract a special token from Android devices with which you can decrypt mobile and cloud WhatsApp backups. This is the alternative method for the widely used one with the key file.
Jsmacedo, have you tried Oxygen Forensic Detective?
The software will allow you to extract WhatsApp data from Apple iOS devices via logical method and from Android devices via various physical methods.
Moreover, with the built-in Cloud Extractor, you can access WhatsApp backups in iCloud and Google Drive. We also offer an exclusive opportunity to extract certain WhatsApp data directly from the WhatsApp Server.
As for the WhatsApp backups decryption, the software can extract a special token from Android devices with which you can decrypt mobile and cloud WhatsApp backups. This is the alternative method for the widely used one with the key file.
Hello,
Thank you for your response.
I just received a trial license from local representative and I'll give it a try.
I heard a lot about Oxygen Forensics in the past from previous professional experience but I kept using Cellebrite on that moment.
Considering that I'm still planning the services and budget to acquire new resources for external offering, Oxygen can became a nice option.
One more time, thank you!
You are not able decrypt whatsapp databases without the key file.
So, considering that key file is available only on rooted/jailbroken devices (Correct me if I'm wrong), it is almost not possible without change the evidence.
I'm asking because I remember success to get some few parts of WhatsApp conversation while executing a "Full File System" acquisition with Cellebrite.
You need to have physical image of rooted device or at least file system dump in order to get access to apps databases like messenger chats.
For analyze you can try Autopsy - open source forensics tool
Thank you, Thomas.
I believe that it is becoming more and more difficult to get this kind of data without change the evidence. Considering my previous experience with Cellebrite, I can count on my fingers the number of times where I was able/allowed to acquire a physical image of a device.