With over 1.3 billion monthly users, WhatsApp is the most popular instant messaging tool worldwide, and Android is the most popular mobile operating system by far. This makes WhatsApp acquisition from Android devices essential for the law enforcement. Elcomsoft Explorer for WhatsApp 2.30 can now download and decrypt Android user’s encrypted WhatsApp communication histories stored in Google Drive. If you have access to the user’s trusted phone number or their physical SIM card (to receive a verification code from WhatsApp), you can now use Elcomsoft Explorer for WhatsApp to download, decrypt and display WhatsApp communication histories backed up into the user’s Google Account. Surprisingly, a cloud backup may, in certain cases, contain even more information than stored on the device itself. This particularly applies to attachments (photos and videos) sent and received by WhatsApp users and then deleted from the device.
All recent versions of WhatsApp encrypt their backups with a cryptographic key unique per WhatsApp account. Without access to that cryptographic key, the only things Elcomsoft Explorer for WhatsApp could extract from the user’s Google Account are contacts and media files sent and received by the WhatsApp user. The main communication history is securely encrypted with AES-256. To make things even more complicated, the different builds of WhatsApp were using different encryption algorithms, making an all-in-one decryption tool a bit complicated to build. Elcomsoft Explorer for WhatsApp 2.30 solves all of these issues by automatically downloading and decrypting the backup from the user’s Google Account. The cryptographic key is generated automatically based on the authentication code received as a text message and delivered to the user’s trusted phone number.
In order to download and decrypt Android users’ WhatsApp communication histories, you will need all of the following:
- The user’s Google Account authentication credentials (login, password, and second authentication factor if 2FA is enabled).
- The ability to receive a verification code from WhatsApp (e.g. with the user’s SIM card).
How It Works
The Android version of WhatsApp can back up its communication history into the user’s Google Account, particularly the Google Drive. While WhatsApp does not encrypt media files (pictures and videos) sent and received by its users (making it possible for Elcomsoft Explorer for WhatsApp to extract them even without the cryptographic key), the main communication history, the actual messages, is securely encrypted with an AES-256 based encryption algorithm. The exact algorithm depends on the version of WhatsApp, but one thing is for certain: it simply isn’t possible to decrypt the data without the key.
The encryption/decryption key is generated by WhatsApp servers the first time the user makes a backup. The key is never stored in the cloud; instead, it is only kept on the device. Whether or not the key can be extracted from the device depends on the version of Android and device’s root status; we won’t touch this issue here and point you to this article instead.
However, it is possible to generate that key based on the user’s WhatsApp ID (their phone number). The newly generated encryption key will exactly match the key that was used to make all of the user’s previous backups in their Google Account; moreover, this very same key will be used for all future WhatsApp backups of that user created in their Google Account. In other words, you just need to generate the key once, and can used it indefinitely to obtain past, present and future backups.
Permanent decryption key: The decryption key received by Elcomsoft Explorer for WhatsApp is permanent and does not change if the user changes their Google Account password. The decryption key remains valid even after re-authenticating WhatsApp on a different device provided that the the same phone number and Google Account are used. The same key can be used to decrypt older backups created before the key was retrieved.
In order to generate the cryptographic key, Elcomsoft Explorer for WhatsApp attempts to register itself as a WhatsApp application. Once the tool sends the authentication request to the WhatsApp server, the server sends a verification code to the user’s registered phone number. This code must be entered to Elcomsoft Explorer for WhatsApp in order to generate the cryptographic key.
Note: Since WhatsApp is restricted to only running on a single device, receiving an authentication key deactivates the user’s existing WhatsApp instance. The user’s Android phone will no longer be able to send or receive WhatsApp messages after transferring WhatsApp registration to Elcomsoft Explorer for WhatsApp unless the user re-authenticates it again on their device. However, even after re-authentication, the cryptographic key will remain valid and usable.
How to Extract WhatsApp for Android Communication History from Google Drive
Follow these steps to extract a WhatsApp backup from the user’s Google Account.
- Launch Elcomsoft Explorer for WhatsApp.
- In Elcomsoft Explorer for WhatsApp, observe the two green icons “iOS” and “Android” located in the bottom left part of the main window. Click on the Android icon. (Refer to online manual)
- Click on the green Android icon again. Select “Download data from Google Drive” from the menu.
Note: you will not have to repeat the authentication process as Elcomsoft Explorer for WhatsApp will use cached credentials from the previous steps.
- If the user’s Google Account has two-factor authentication, you will be prompted for a code.
- Enter the 2FA code.
- The downloading process begins. If the Google Account has data for multiple devices and/or multiple backups, the process may take a while
- Once the download completes, you will see a message that warns that the data is encrypted.
- You can use the Decrypt option to instantly decrypt data. Alternatively, you may click Open to have data loaded into the viewer. At this time, you can only access media files; text conversations are still encrypted.
- If you attempt to access encrypted data, you will be prompted for a WhatsApp verification code.
- Click Send to request a code.
- The code will be delivered to the phone number. Enter the code into the “Verification code” box.
- Once the correct code is entered, the data is instantly decrypted. If you have other encrypted data, click on the lock sign to instantly decrypt. Newly downloaded data will be decrypted automatically.
WhatsApp remains one of the most reliable instant messaging services. Based on Whisper Systems communication protocols, its point-to-point communications remain securely protected even if someone manages to intercept them. Cloud backups remain one of the few vectors of attack allowing to remotely access WhatsApp communication history. If you have cloud backups enabled in WhatsApp and your phone is suddenly deregistered from your WhatsApp account, watch out as someone could have accessed your data. As always, we recommend activating two-factor authentication to protect your Google Account.