Description
| $ 79 |
The Ultimate WhatsApp Acquisition Tool
Elcomsoft Explorer for WhatsApp (EXWA) is a Windows tool to acquire,
decrypt and display WhatsApp communication histories. The tool offers
multiple acquisition options to extract and decrypt WhatsApp data from
multiple local and cloud sources including Android smartphones, iOS
system backups (iTunes and iCloud), and WhatsApp proprietary cloud
backups in Google Drive and iCloud Drive.
The tool supports both rooted and non-rooted Android phones.
Encrypted backups can be automatically decrypted providing that the
correct password is supplied. Downloading cloud backups from Apple
iCloud and iCloud Drive requires entering the user’s Apple ID and
password or using a binary authentication token extracted from the
user’s computer, while Google Drive downloads require a login and a
password. Two-factor authentication is supported for both Apple and
Google accounts.
The built-in viewer offers convenient view of messages, calls and
pictures stored in multiple WhatsApp databases obtained from the
different sources. Instant filtering and ultra-fast searching allow
finding records of interest in a matter of seconds.
WhatsApp Acquisition
Elcomsoft Explorer for WhatsApp supports all of the following acquisition methods of WhatsApp databases:
- Direct extraction from Android smartphones
Rooted (Android 4.0-9.0) and non-rooted (Android 4.0-6.0.1) devices are supported. Phone must be unlocked for acquisition.
- Over-the-air acquisition of WhatsApp proprietary backups stored in Google Drive
WhatsApp backups can be pulled from the user’s Google Account and
decrypted. Access to registered phone number or SIM card is required.
Google ID and password required.[1]
- Extraction from local iTunes backups
Encrypted backups are automatically decrypted. The correct password is required to decrypt the backup.
- Over-the-air acquisition from iOS backups stored in Apple iCloud
WhatsApp databases are automatically retrieved from iOS backups
stored in Apple iCloud. Fast acquisition is made possible by selectively
downloading WhatsApp information instead of pulling the entire backup
from the cloud. Apple ID and password or binary authentication token
required.[2].
- Over-the-air acquisition of WhatsApp proprietary backups stored in iCloud Drive
Proprietary WhatsApp backups can be pulled from the user’s iCloud
Drive account and decrypted. Access to registered phone number or SIM
card is required. [1] Apple ID and password or binary authentication token required.[2]
WhatsApp Acquisition: Not an Easy Target
WhatsApp Messenger is one of the most popular instant messaging
tools, if not the most popular one. WhatsApp clients are available for
all mobile platforms including Android, Apple iOS, Blackberry, and
Microsoft Windows Phone 8.x and Windows 10 Mobile.
WhatsApp is a popular target for spammers, hoaxers and cyber
criminals. On at least one occasion, intercepted WhatsApp communications
helped uncover a terrorist organization.
Since WhatsApp employs secure end-to-end messaging, it is not
possible for law enforcement to request communication histories from
Facebook who currently owns WhatsApp. As a result, acquisition is only
possible from end-user devices or data backups produced by such devices
and saved either locally or stored in a cloud.
Requirements to Download WhatsApp Databases from the Cloud
The Standard edition of Elcomsoft Explorer for WhatsApp can download
information from Google Drive, Apple iCloud and iCloud Drive[1].
In order to be able to download information from Google Drive, Apple
iCloud or iCloud Drive, the correct login and password are required. For
Apple iCloud, one can use a binary authentication token extracted from
the user’s PC or Mac. For extracting binary authentication tokens, we
recommend using a tool from Elcomsoft Phone Breaker
(if you don’t own a license, the evaluation version will work just
fine). Decrypting the backup requires a one-time code received by an SMS
to a registered phone number. [1]
Without the code, the conversation database will remain encrypted;
only the files (photos and videos) and contacts (Google Drive only) will
be available.
-
WhatsApp encrypts its cloud backups. In order to decrypt the backups,
one-time access to the user’s registered phone number or SIM card is
required. The decryption key is permanent, and can be used to decrypt
existing and future backups created on iCloud Drive (for Google Drive,
only existing ones). Alternatively, the encryption key can be obtained
from jailbroken iPhones using Elcomsoft iOS Forensic Toolkit keychain extraction.
-
Binary authentication tokens can be extracted from the user’s
computer with a tool available with Elcomsoft Phone Breaker. If you
don’t own the product, the token extraction tool is also available in
All Features and Benefits
Elcomsoft Explorer for WhatsApp can
extract WhatsApp conversations directly from a wide range of Android
smartphones. As WhatsApp securely encrypts its databases, root access is
recommended (but not required) for acquisition. If no root access is
available, Elcomsoft Explorer for WhatsApp will employ a workaround by
pushing an acquisition tool into the phone temporarily for extracting
the decryption key.
If root access is available, Elcomsoft Explorer for WhatsApp can
extract WhatsApp conversations from Android handsets running Android 4.0
through 9.0. Without root access, compatibility is limited to Android
versions 4.0 through 6.0.1.
WhatsApp Business extraction is supported
for Android devices. Since WhatsApp Business is a separate app with a
different security profile, Elcomsoft Explorer for WhatsApp requires
root access to extract information directly from a physical Android
handset. Logical acquisition (backup files) as well as cloud extraction
from Google Drive are available without root access.
WhatsApp has the ability to create cloud
backups of its database, saving them in Apple iCloud Drive (iPhone) or
Google Drive (Android phones). WhatsApp backups are unique per phone
number. This means that the number of available WhatsApp backups in the
user’s cloud account will depend on how many different phone numbers are
used.
Elcomsoft Explorer for WhatsApp can extract and decrypt proprietary
WhatsApp backups from both Google Drive and iCloud Drive. When obtaining
a decryption key, one-time access to the user’s phone number or SIM
card is required to receive a verification code.[1]
Without the code, the conversation database will remain encrypted; only
the files (photos and videos) and contacts (Google Drive only) will be
available.
-
WhatsApp encrypts its cloud backups. In order to decrypt the backups,
one-time access to the user’s registered phone number or SIM card is
required. The decryption key is permanent, and can be used to decrypt
existing and future backups created on iCloud Drive (for Google Drive,
only existing ones). Alternatively, the encryption key can be obtained
from jailbroken iPhones using Elcomsoft iOS Forensic Toolkit keychain extraction.
WhatsApp is an instant messaging
application. Its databases contain information about peer-to-peer
communications between users, including the following records:
WhatsApp Database Content
- Sent and received text messages complete with contact ID’s and timestamps
- User’s contact database complete with phone numbers
- Call logs
- Pictures and videos sent and received, complete with timestamps and contact ID’s
Elcomsoft Explorer for WhatsApp is
equipped with a built-in viewer supporting multiple WhatsApp databases
extracted from various sources. The viewer includes instant filtering
and quick search functionality. Finding a certain contact, message or
conversation is easy by specifying a date range or typing a partial key
word into the search box.
The built-in data export facility enables exporting WhatsApp data
into a standard Excel-compatible XLSX file. Experts can use these files
to continue their investigation in the product of their choice.
System requirements
Windows
- Windows 7 (32 bit)
- Windows 7 (64 bit)
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2012/2016
Requirements to Download WhatsApp Databases from the Cloud
The Standard edition of Elcomsoft Explorer for WhatsApp can download
information from Google Drive, Apple iCloud and iCloud Drive. In order
to be able to download information from Apple iCloud/iCloud Drive, the
correct Apple ID and password are required. Decrypting the backup
requires a one-time code received by an SMS to a registered phone
number. [1]
Without the code, the conversation database will remain encrypted; only
the files (photos and videos) and contacts (Google Drive only) will be
available.
For Apple iCloud access, one can use a binary authentication token
extracted from the user’s PC or Mac. For extracting binary
authentication tokens, we recommend using a tool from Elcomsoft Phone Breaker (if you don’t own a license, the evaluation version will work just fine).
Trial limitations
10 records to view
-
WhatsApp encrypts its cloud backups. In order to decrypt the backups,
one-time access to the user’s registered phone number or SIM card is
required. The decryption key is permanent, and can be used to decrypt
existing and future backups created on iCloud Drive (for Google Drive,
only existing ones). Alternatively, the encryption key can be obtained
from jailbroken iPhones using Elcomsoft iOS Forensic Toolkit keychain extraction.
Release notes
Elcomsoft Explorer for WhatsApp v.2.76.36327
9 April, 2020
- fixed some issues with iCloud access through proxy
Uninstallation
procedure: in order to uninstall the product, follow the standard
procedure via Control Panel – Programs and features or use the
corresponding Unistall link from the product’s folder in the Windows
Start menu.
