Product Type

Elcomsoft Explorer for WhatsApp

Elcomsoft Explorer for WhatsApp

 

Acquire and analyze WhatsApp communication histories from multiple sources. Extract WhatsApp databases from Android phones with and without root access, download WhatsApp backups from Google Drive and iCloud Drive or extract from local and cloud iOS system backups.

 

  • Includes WhatsApp acquisition and extraction tools for iOS and Android
  • Supports regular WhatsApp on Android and iOS and WhatsApp Business for Android
  • Comes with a built-in viewer
  • Extraction from physical devices, backups, Google and Apple cloud services
  • Automatic decryption, searching and filtering
  • All-in-one tool supplied with all relevant local and cloud acquisition tools

 

Supports: WhatsApp databases and backups, Android devices with and without root, iOS system backups (local and cloud), stand-alone WhatsApp backups (Google Drive, iCloud Drive)

 

The Ultimate WhatsApp Acquisition Tool

 

Elcomsoft Explorer for WhatsApp (EXWA) is a Windows tool to acquire, decrypt and display WhatsApp communication histories. The tool offers multiple acquisition options to extract and decrypt WhatsApp data from multiple local and cloud sources including Android smartphones, iOS system backups (iTunes and iCloud), and WhatsApp proprietary cloud backups in Google Drive and iCloud Drive.

 

The tool supports both rooted and non-rooted Android phones. Encrypted backups can be automatically decrypted providing that the correct password is supplied. Downloading cloud backups from Apple iCloud and iCloud Drive requires entering the user’s Apple ID and password or using a binary authentication token extracted from the user’s computer, while Google Drive downloads require a login and a password. Two-factor authentication is supported for both Apple and Google accounts.

 

The built-in viewer offers convenient view of messages, calls and pictures stored in multiple WhatsApp databases obtained from the different sources. Instant filtering and ultra-fast searching allow finding records of interest in a matter of seconds.

 

WhatsApp Acquisition

 

Elcomsoft Explorer for WhatsApp supports all of the following acquisition methods of WhatsApp databases:

 

  • Direct extraction from Android smartphones
    Rooted (Android 4.0-9.0) and non-rooted (Android 4.0-6.0.1) devices are supported. Phone must be unlocked for acquisition.
  • Over-the-air acquisition of WhatsApp proprietary backups stored in Google Drive
    WhatsApp backups can be pulled from the user’s Google Account and decrypted. Access to registered phone number or SIM card is required. Google ID and password required.[1]
  • Extraction from local iTunes backups
    Encrypted backups are automatically decrypted. The correct password is required to decrypt the backup.
  • Over-the-air acquisition from iOS backups stored in Apple iCloud
    WhatsApp databases are automatically retrieved from iOS backups stored in Apple iCloud. Fast acquisition is made possible by selectively downloading WhatsApp information instead of pulling the entire backup from the cloud. Apple ID and password or binary authentication token required.[2].
  • Over-the-air acquisition of WhatsApp proprietary backups stored in iCloud Drive
    Proprietary WhatsApp backups can be pulled from the user’s iCloud Drive account and decrypted. Access to registered phone number or SIM card is required. [1] Apple ID and password or binary authentication token required.[2]

 

WhatsApp Acquisition: Not an Easy Target

 

WhatsApp Messenger is one of the most popular instant messaging tools, if not the most popular one. WhatsApp clients are available for all mobile platforms including Android, Apple iOS, Blackberry, and Microsoft Windows Phone 8.x and Windows 10 Mobile.

 

WhatsApp is a popular target for spammers, hoaxers and cyber criminals. On at least one occasion, intercepted WhatsApp communications helped uncover a terrorist organization.

 

Since WhatsApp employs secure end-to-end messaging, it is not possible for law enforcement to request communication histories from Facebook who currently owns WhatsApp. As a result, acquisition is only possible from end-user devices or data backups produced by such devices and saved either locally or stored in a cloud.

 

Requirements to Download WhatsApp Databases from the Cloud

 

The Standard edition of Elcomsoft Explorer for WhatsApp can download information from Google Drive, Apple iCloud and iCloud Drive[1]. In order to be able to download information from Google Drive, Apple iCloud or iCloud Drive, the correct login and password are required. For Apple iCloud, one can use a binary authentication token extracted from the user’s PC or Mac. For extracting binary authentication tokens, we recommend using a tool from Elcomsoft Phone Breaker (if you don’t own a license, the evaluation version will work just fine). Decrypting the backup requires a one-time code received by an SMS to a registered phone number. [1] Without the code, the conversation database will remain encrypted; only the files (photos and videos) and contacts (Google Drive only) will be available.

 

 

  1. WhatsApp encrypts its cloud backups. In order to decrypt the backups, one-time access to the user’s registered phone number or SIM card is required. The decryption key is permanent, and can be used to decrypt existing and future backups created on iCloud Drive (for Google Drive, only existing ones). Alternatively, the encryption key can be obtained from jailbroken iPhones using Elcomsoft iOS Forensic Toolkit keychain extraction.
  2. Binary authentication tokens can be extracted from the user’s computer with a tool available with Elcomsoft Phone Breaker. If you don’t own the product, the token extraction tool is also available in the free evaluation version of Elcomsoft Phone Breaker.

 

Elcomsoft Explorer for WhatsApp media gallery

Elcomsoft Explorer for WhatsApp picture details

Elcomsoft Explorer for WhatsApp backup details

Elcomsoft Explorer for WhatsApp list of available backups

Elcomsoft Explorer for WhatsApp: Messages

 

All Features and Benefits

 

WhatsApp Acquisition from Android

 

Elcomsoft Explorer for WhatsApp can extract WhatsApp conversations directly from a wide range of Android smartphones. As WhatsApp securely encrypts its databases, root access is recommended (but not required) for acquisition. If no root access is available, Elcomsoft Explorer for WhatsApp will employ a workaround by pushing an acquisition tool into the phone temporarily for extracting the decryption key.

 

If root access is available, Elcomsoft Explorer for WhatsApp can extract WhatsApp conversations from Android handsets running Android 4.0 through 9.0. Without root access, compatibility is limited to Android versions 4.0 through 6.0.1.

 

WhatsApp Business for Android

 

WhatsApp Business extraction is supported for Android devices. Since WhatsApp Business is a separate app with a different security profile, Elcomsoft Explorer for WhatsApp requires root access to extract information directly from a physical Android handset. Logical acquisition (backup files) as well as cloud extraction from Google Drive are available without root access.

 

Downloading Proprietary WhatsApp Backups

 

WhatsApp has the ability to create cloud backups of its database, saving them in Apple iCloud Drive (iPhone) or Google Drive (Android phones). WhatsApp backups are unique per phone number. This means that the number of available WhatsApp backups in the user’s cloud account will depend on how many different phone numbers are used.

 

Elcomsoft Explorer for WhatsApp can extract and decrypt proprietary WhatsApp backups from both Google Drive and iCloud Drive. When obtaining a decryption key, one-time access to the user’s phone number or SIM card is required to receive a verification code.[1] Without the code, the conversation database will remain encrypted; only the files (photos and videos) and contacts (Google Drive only) will be available.

 

 

  1. WhatsApp encrypts its cloud backups. In order to decrypt the backups, one-time access to the user’s registered phone number or SIM card is required. The decryption key is permanent, and can be used to decrypt existing and future backups created on iCloud Drive (for Google Drive, only existing ones). Alternatively, the encryption key can be obtained from jailbroken iPhones using Elcomsoft iOS Forensic Toolkit keychain extraction.

 

Information Available in WhatsApp Databases

 

WhatsApp is an instant messaging application. Its databases contain information about peer-to-peer communications between users, including the following records:

 

WhatsApp Database Content

  • Sent and received text messages complete with contact ID’s and timestamps
  • User’s contact database complete with phone numbers
  • Call logs
  • Pictures and videos sent and received, complete with timestamps and contact ID’s

 

Viewing and Exporting

 

Elcomsoft Explorer for WhatsApp is equipped with a built-in viewer supporting multiple WhatsApp databases extracted from various sources. The viewer includes instant filtering and quick search functionality. Finding a certain contact, message or conversation is easy by specifying a date range or typing a partial key word into the search box.

 

The built-in data export facility enables exporting WhatsApp data into a standard Excel-compatible XLSX file. Experts can use these files to continue their investigation in the product of their choice.

Related Posts

LLIMAGER – User-Supplied USB SSD/HDD One Year Subscription

August 6, 2024

LLIMAGER on 2TB USB SSD Drive with One Year Subscription

August 6, 2024

1637L Air Laptop Case

July 12, 2024