ElcomSoft: Explorer for WhatsApp Software Tool for Extracting, Decrypting and Analyzing WhatsApp Communication Histories

ElcomSoft Co. Ltd. updates Explorer for WhatsApp, all-in-one tool for extracting, decrypting and analyzing WhatsApp communication histories.

The tool gains the ability to decrypt WhatsApp stand-alone backups produced by the iPhone app and stored in Apple’s iCloud Drive. The decryption is possible with access to a verified phone number or SIM card, and requires authenticating into the user’s Apple ID account. A WhatsApp encryption key must be only obtained once, and can be used to access all previously created and all future backups for a given combination of Apple ID and phone number. The tool provides automatic download and decryption for WhatsApp backups and comes with a built-in viewer.

“WhatsApp remains the most popular instant messaging tool in North America and Europe, and is the one communication tool most frequently picked by the criminals,” says Vladimir Katalov, CEO, ElcomSoft. “With our tool, investigators can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive – provided that they have access to the user’s Apple ID account and can receive a confirmation code sent to their verified phone number.“

Click to enlarge

Decrypting iPhone users’ WhatsApp backups
Since December 2016, both manual and daily stand-alone backups produced by WhatsApp iPhone app and stored in the user’s iCloud Drive are automatically encrypted with industry-standard AES256 encryption. The encryption key, generated by WhatsApp at the time of the first backup, is unique per each combination of Apple ID and phone number. Different encryption keys are generated for different phone numbers registered on the same Apple ID. These encryption keys are generated and stored server-side by WhatsApp itself; they are never stored in iCloud, and they cannot be extracted from the iOS device.

Click to enlarge

Explorer for WhatsApp 2.10 gains the ability to retrieve cryptographic keys used to encrypt and decrypt WhatsApp’s iCloud backups, successfully bypassing encryption and gaining access to WhatsApp conversation history and underlying messages. In order to generate the encryption key, experts must be able to receive a WhatsApp verification code sent to the phone number for which a given backup was created. In addition, the user’s Apple ID and password (or binary authentication token) are required to gain access to the backup itself. The cryptographic key can be used to access all previously created and all future backups for a given combination of Apple ID and phone number.

Experts with access to the user’s verified phone number of SIM card as well as Apple ID authentication credentials can use Explorer for WhatsApp to circumvent encryption and gain access to iCloud-stored encrypted messages. ⁽¹⁾

Click to enlarge

Current state of WhatsApp security
Despite recent discoveries regarding WhatsApp encryption of the tool’s iCloud backups, the app’s end-to-end message delivery still remains secure, and the messaging service remains one of the most secure on the market. WhatsApp securely encrypts messages sent and received, and makes use of encryption when producing cloud backups. Decrypting WhatsApp-produced backups requires access to the trusted phone number or SIM card, as well as access to the user’s Apple ID account.

WhatsApp does not keep communication histories on their servers, making them unavailable to hacker attacks. For the same reason, government requests result in very limited data. As a result, acquisition is only possible from physical devices, iOS system backups or proprietary WhatsApp backups.

About Explorer for WhatsApp
Explorer for WhatsApp is an all-in-one tool for extracting, decrypting and viewing WhatsApp communication histories from iOS and Android devices and cloud services. Supporting a range of acquisition options, it can extract WhatsApp data from local iTunes backups, retrieve WhatsApp databases from iCloud backups and download stand-alone WhatsApp backups from Apple iCloud Drive. The tool can extract WhatsApp communication histories from most rooted and non-rooted Android devices. Cloud acquisition requires entering the correct authentication credentials (Apple ID and password), while stand-alone WhatsApp backup decryption requires access to a verified phone number or SIM card. Encrypted backups can be decrypted automatically once the correct password is supplied.

The built-in viewer offers convenient access to contacts, messages and pictures sent and received during conversations. Multiple WhatsApp databases can be analyzed at the same time. Searching and filtering make it easy locating individual messages or finding communication sessions that occurred over a certain date range.

Explorer for WhatsApp is available to North American customers for $79. Its test version is available free of charge. Local pricing may vary.

It supports Windows 7, 8, 8.1, and Windows 10 as well as Windows 2008, 2012 and 2016 Server.

(1) Detailed how-to guide