With more than 1.5 billion
users and 5.5 billion messages per day, WhatsApp is without a doubt the most
popular messenger in the world. All messages sent using WhatsApp have
end-to-end encryption, meaning they are unreadable if intercepted by anyone,
including law enforcement and WhatsApp itself. More importantly, WhatsApp
communications are never stored on the WhatsApp server. It is no surprise with
this type of security built-in to the application it is often the choice
communication platform of users with nefarious agendas. Keeping that fact in
mind, it is imperative investigators are armed with methods and tools to
recover this essential data
Oxygen Forensics offers the most comprehensive WhatsApp data extraction and decryption tools in the market.
WhatsApp From Mobile Devices
End-to-end encryption, as
described, only offers security for a “man-in-the-middle attack” or simply live
interception. However, the data on an
Apple iOS or Android device is available in a decrypted format. The problems investigators
often face in today’s mobile device examinations involving WhatsApp and other
apps is often how to overcome a device with a screen lock or device encryption.
When it comes to iOS devices,
all WhatsApp data can be extracted in a basic iTunes backup procedure. However,
for Android devices, we often recommend a physical extraction method to recover
WhatsApp’s evidentiary files. We offer a wide range of physical collection methods
that are successful on a large variety of Android devices. Remember, when
examining an Android device always check the SD card for a WhatsApp backup. This file is always encrypted, but we have you
covered! You will find information about Oxygen Forensics’ innovative
decryption methods below.
WhatsApp From Cloud
A WhatsApp user, using an iPhone
or Android device, may choose to back up their chats to iCloud or Google Drive.
It is important to understand; WhatsApp backups are encrypted by default and to
decrypt them a forensic investigator should have access to the SIM card to
which this WhatsApp account is assigned. Armed with this SIM and investigator
can recover and decrypt this valuable WhatsApp data. However, there are other methods to decrypt
this recovered data using the WhatsApp Cloud token. This is outlined more in the following
Extracting WhatsApp data from various
cloud services there could be additional hurdles like two factor authentication
(2FA) or two-step verification. Our
Oxygen Forensic Cloud Extractor documentation contains detailed instructions on
how to overcome these additional challenges.
Extraction of this valuable
cloud data is extremely important. This
collection may contain data that had been deleted from the device which can easily
occur if synchronization is set to each week or each month.
WhatsApp Backup Decryption
The standard WhatsApp backup
decryption method used throughout the industry is based on a key file. With our innovative methods, Oxygen Forensics
offers a new decryption method that requires only a phone number! This method
is a great alternative to the commonly used key file. Case in point: If you
have found an encrypted backup on an Android’s SD card with no access to the
Android internal memory where the decryption key is stored simply use our
innovative decryption support. Our Oxygen Forensic Cloud Extractor offers you
an exclusive opportunity to decrypt this backup by receiving a code to the
phone number assigned to the recovered SIM card.
Not only data from the device
is recoverable, but Oxygen Forensic Detective can also recover a special
WhatsApp Cloud token from physical extractions of Android devices. This token can be utilized to decrypt
WhatsApp backups from Android devices, WhatsApp Google Drive, and WhatsApp
iCloud backups associated with the same phone number.
WhatsApp Cloud (Server)
It is known that WhatsApp does
not store any communications on its Server that have been delivered. Messages and unanswered calls that cannot be
delivered (e.g., it has no Internet connection, or it is switched off) will be
temporally stored on the server. Oxygen Forensic Detective has the unique ability
to access this data from the cloud via only the phone number or special
WhatsApp Cloud token extracted from Android devices.
you have a locked mobile device that you cannot acquire try this: switch it off, wait for a few moments, remove the
SIM card and place it into another phone that is unlocked to a carrier. Select
WhatsApp Cloud service in our Cloud Extractor, select to receive a code to the SIM
card. Now you will have access to the
undelivered messages, unanswered calls and their contacts.
WhatsApp via QR Token from PC
Users can now access and
communicate using WhatsApp Desktop and WhatsApp Web Apps from a computer. Our
exhaustive research revealed that these apps do not store any databases on the
computer being used to communicate. However, with our free Oxygen Forensic
KeyScout utility, built into Oxygen Forensic Detective, you can detect a
WhatsApp QR token on a computer where WhatsApp was used. This valuable token
will allow you to extract complete WhatsApp data in our Cloud Extractor. The
only condition is that the WhatsApp owner’s mobile device must have an active
Internet connection. If the mobile device is locked, no problem! This WhatsApp
QR code method is ideal for data extraction from locked mobile devices. However,
if you have an unlocked mobile device but for some reason the extraction
continually fails, simply scan the WhatsApp QR code from the device in our
Cloud Extractor to acquire all the current WhatsApp data.