Decryption of Whats...
 
Notifications
Clear all

Decryption of WhatsApp

DCS1094
(@dcs1094)
Active Member

I have a Micro SD from a Blackberry containing encrypted WhatsApp message stores/db files.

Until recent times, the only way of obtaining the contents, is to view the Chats through the Handset with the Memory Card inserted and capture via a manual… painful task but does the job.

I know there was a new release in August of Cellebrite PA which cracked the decryption of the db files via completing a file system & physical extraction of the device; then using the 'open advanced' feature on PA to eventually obtain the chats.

I don't seem to be having much luck with this method, all data is decoded however no WhatsApp contents…

Any other ideas/assistance is appreciated.

Thanks in advance,

Dan

Quote
Topic starter Posted : 31/10/2013 5:59 pm
kbertens
(@kbertens)
Member

So besides the Micro SD you also have a extraction of the Blackberry?
Send you a pm for some more info.

BTW Have a look at http//www.slideshare.net/andrey.belenko/ios-and-blackberry-forensics

ReplyQuote
Posted : 31/10/2013 7:30 pm
DCS1094
(@dcs1094)
Active Member

Yes.

Cheers

Dan

ReplyQuote
Topic starter Posted : 31/10/2013 8:41 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Oxygen Forensic Suite support WhatsApp decryption.

ReplyQuote
Posted : 31/10/2013 8:44 pm
RonS
 RonS
(@rons)
Active Member

Please use the UFED version that was released this week, there was a fix exactly for this.

Ron Serber

ReplyQuote
Posted : 01/11/2013 12:18 am
DCS1094
(@dcs1094)
Active Member

Thanks for this guys. Will be sure to check both out when next in the lab.

ReplyQuote
Topic starter Posted : 01/11/2013 2:49 am
jtingkir
(@jtingkir)
New Member

I just decrypted one whatsapp db from an unrooted android device, the process is simple…these are the tools I used

1. http//sch3m4.github.io/wforensic/ -> used for decryption and merging db files
2. http//blog.digital-forensics.it/2012/05/whatsapp-forensics.html -> used for printing those decrypted db into printable form, so you won't need to look it using sqldb viewer or stuff like that.

good luck.

ReplyQuote
Posted : 07/11/2013 7:59 am
kbertens
(@kbertens)
Member

The question was about a Blackberry.

ReplyQuote
Posted : 07/11/2013 6:05 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

The question was about a Blackberry.

I have seen android backups on a Blackberry memory card before but it is not common.

Can you please give the path to the db file? Is the header of the file REM?

If its REM then it is encrypted with RIM encryption. You need to download the phone file system and physical using UFED at the same time in PA using 'Open Advanced'. This is the only way I know to decrypt Blackberry enrypted whats app backups and is only supported on a limited iterations of Blackberry OS

ReplyQuote
Posted : 01/12/2013 7:06 pm
DCS1094
(@dcs1094)
Active Member

I have seen android backups on a Blackberry memory card before but it is not common.

Can you please give the path to the db file? Is the header of the file REM?

If its REM then it is encrypted with RIM encryption. You need to download the phone file system and physical using UFED at the same time in PA using 'Open Advanced'. This is the only way I know to decrypt Blackberry enrypted whats app backups and is only supported on a limited iterations of Blackberry OS

This was concluded a couple of weeks back - thanks to kbertens and others for the help on this one.

It turns out for my specific scenario it is not possible to decrypt on a BB 9320 running 7 OS. (Due to the way in which the encryption keys are stored & also the the fact that the PA method/alternative method does not support version 7 OS).

Cellebrite's PA method will work, but only on certain models of BB running mostly under v5 OS.(following testing and further assistance).

There is an alternative method using an LE tool, however for this model also at this stage it is not possible to extract the encryption keys, due to the way they are stored for this model.

So, yes i was defeated on this occasion! evil

ReplyQuote
Topic starter Posted : 02/12/2013 2:33 pm
Share: