WhatsApp Theory

How do you save the encrypted database from a non-rooted device ?! How do you save already deleted data from a non-rooted device ?!

When creating a WhatsApp backup and restoring to another device to do what you say, you will be missing a lot of timing and logs related data, which are stored on the original device only. This means data integrity issue, forensically your way is void.

Isn't anyway that the same "missing" data if you adopt the screenshooting or scrolling video recording approach? ?

No, it is not the same, try it yourself. What if the device owner uses more then a single WhatsApp account ? With access to the device you can recover more data from WhatsApp, then from a backup, since that will hold the data only for the current WhastApp user.

All I try to suggest is that the right way for this task is creating a physical dump and analyzing that.

Maybe I'm just picky, but life proves me right most of the time )

One potential collection method (Phone to Cloud to Windows Workstation)

1) Install WhatsApp desktop version to a forensic collection workstation https://www.whatsapp.com/download/

2) Enter the target WhatsApp userID and password into the newly installed WhatsApp desktop installation.

3) Synchronize the WhatsApp version running on one's forensic workstation.

4) Collect data from the WhatsApp folder on the forensic workstation

When I used this technique in the past on a Mac OSX computer, the WhatsApp data I downloaded to the Mac was NOT encrypted.

One potential collection method (Phone to Cloud to Windows Workstation)

1) Install WhatsApp desktop version to a forensic collection workstation https://www.whatsapp.com/download/

2) Enter the target WhatsApp userID and password into the newly installed WhatsApp desktop installation.

3) Synchronize the WhatsApp version running on one's forensic workstation.

4) Collect data from the WhatsApp folder on the forensic workstation

When I used this technique in the past on a Mac OSX computer, the WhatsApp data I downloaded to the Mac was NOT encrypted.

Do you know in which directory WhatsApp artifacts are stored in Windows?

I would like to add some additional information about WhatsApp extraction techniques.
Besides commonly used methods that extract and decrypt WhatsApp data from mobile devices and iCloud/Google Drive, our software offers an ability to acquire certain types of data directly from the WhatsApp Server via phone number or a special token.
This data may include messages with attachments, information about messages deleted from private and group chats, original messages embedded into the reply, broadcast messages, missed calls and information about contacts. This is not a complete WhatsApp backup but still, it can be extremely useful in case when the device is damaged, locked, or missing.

what are your thoughts on just exporting the chat from the menu in whatsApp

… -> More - > Export Chat -> Include Media -> Exporting via Email

trying to see if i can bluetooth transfer that file or save to SD card

Post your results.

what are your thoughts on just exporting the chat from the menu in whatsApp

… -> More - > Export Chat -> Include Media -> Exporting via Email

trying to see if i can bluetooth transfer that file or save to SD card

For Whatsapp we offer the remote extraction of whatsapp chats. No user intervention.
All history chats 15/30 days

Requirements User must have google drive backup of the chats

Price 35K

I know it is high, but it is that price sorry

For Whatsapp we offer the remote extraction of whatsapp chats. No user intervention.
All history chats 15/30 days

Requirements User must have google drive backup of the chats

Price 35K

I know it is high, but it is that price sorry

35k!?! Absurd. It's not that difficult. The steps needed are long but there is an easy way to grab Android Whatsapp data.

I use Cellebrite UFED4PC for my extraction and parsing.

1. Have the client create a backup of their Whatsapp to Google drive through the Whatsapp application.

2. Prepare a test phone that's rooted. Most Samsung phones are easy to root and obtain a physical image/file system extraction. I use a Galaxy S6 since it's easy to root. Everytime I perform a Whatsapp collection this way, I factory reset the device after I pull it. This kills the root. Due to this, I like that the S6 can be rooted through Odin in a matter of seconds.

3. Login to your clients WhatsApp account on the device. This is done using their gmail account the backup was created to. You dont need a sim card or anything. You simply need to have your client confirm the login through the clients phone. This will log your client out of Whatsapp. Only one session can be active at a time.

4. Choose the option to restore the backup from Google drive. This pulls their backup onto your rooted phone.

4. Thanks to root access, you have full access to Whatsapp. Perform a physical extraction. File system should work as well.

5. Parse and profit!

You can only pull backups from Google Drive via Android Whatsapp. ICloud backups are stuck on iOS Whatsapp.

The data on Google Drive is stored under the Backups Section. This section cannot be accessed from Google Drive syncing or directly. So far, I have only been able to interact via WhatsApp. Clicking on it within Google Drive gives me an option to delete it. You cannot download directly or browse.

This might work with an iPhone with a jailbreak. Login to their iCloud account via Whatsapp and pull the backup down.

Edit I'd like to add that attempts to pull WhatsApp backups through Cloud Analyzer did not work. I contacted support with no resolution so far.

Post your results.

what are your thoughts on just exporting the chat from the menu in whatsApp

… -> More - > Export Chat -> Include Media -> Exporting via Email

trying to see if i can bluetooth transfer that file or save to SD card

Looks like if you have RAR installed you can export each chat individually into a RAR and then export to an SD Card. I might go this route and then just make an AD1 image of the file. I do like ZeroOneZeroes idea below to transfer account to a rooted Galaxy S6. That's not a bad idea either since I can leverage Cellebrite.