Decryption of Whats...
 
Notifications
Clear all

Decryption of WhatsApp

10 Posts
6 Users
0 Likes
1,154 Views
(@dcs1094)
Posts: 146
Estimable Member
Topic starter
 

I have a Micro SD from a Blackberry containing encrypted WhatsApp message stores/db files.

Until recent times, the only way of obtaining the contents, is to view the Chats through the Handset with the Memory Card inserted and capture via a manual… painful task but does the job.

I know there was a new release in August of Cellebrite PA which cracked the decryption of the db files via completing a file system & physical extraction of the device; then using the 'open advanced' feature on PA to eventually obtain the chats.

I don't seem to be having much luck with this method, all data is decoded however no WhatsApp contents…

Any other ideas/assistance is appreciated.

Thanks in advance,

Dan

 
Posted : 31/10/2013 5:59 pm
(@kbertens)
Posts: 88
Trusted Member
 

So besides the Micro SD you also have a extraction of the Blackberry?
Send you a pm for some more info.

BTW Have a look at http//www.slideshare.net/andrey.belenko/ios-and-blackberry-forensics

 
Posted : 31/10/2013 7:30 pm
(@dcs1094)
Posts: 146
Estimable Member
Topic starter
 

Yes.

Cheers

Dan

 
Posted : 31/10/2013 8:41 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Oxygen Forensic Suite support WhatsApp decryption.

 
Posted : 31/10/2013 8:44 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Please use the UFED version that was released this week, there was a fix exactly for this.

Ron Serber

 
Posted : 01/11/2013 12:18 am
(@dcs1094)
Posts: 146
Estimable Member
Topic starter
 

Thanks for this guys. Will be sure to check both out when next in the lab.

 
Posted : 01/11/2013 2:49 am
(@jtingkir)
Posts: 21
Eminent Member
 

I just decrypted one whatsapp db from an unrooted android device, the process is simple…these are the tools I used

1. http//sch3m4.github.io/wforensic/ -> used for decryption and merging db files
2. http//blog.digital-forensics.it/2012/05/whatsapp-forensics.html -> used for printing those decrypted db into printable form, so you won't need to look it using sqldb viewer or stuff like that.

good luck.

 
Posted : 07/11/2013 7:59 am
(@kbertens)
Posts: 88
Trusted Member
 

The question was about a Blackberry.

 
Posted : 07/11/2013 6:05 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

The question was about a Blackberry.

I have seen android backups on a Blackberry memory card before but it is not common.

Can you please give the path to the db file? Is the header of the file REM?

If its REM then it is encrypted with RIM encryption. You need to download the phone file system and physical using UFED at the same time in PA using 'Open Advanced'. This is the only way I know to decrypt Blackberry enrypted whats app backups and is only supported on a limited iterations of Blackberry OS

 
Posted : 01/12/2013 7:06 pm
(@dcs1094)
Posts: 146
Estimable Member
Topic starter
 

I have seen android backups on a Blackberry memory card before but it is not common.

Can you please give the path to the db file? Is the header of the file REM?

If its REM then it is encrypted with RIM encryption. You need to download the phone file system and physical using UFED at the same time in PA using 'Open Advanced'. This is the only way I know to decrypt Blackberry enrypted whats app backups and is only supported on a limited iterations of Blackberry OS

This was concluded a couple of weeks back - thanks to kbertens and others for the help on this one.

It turns out for my specific scenario it is not possible to decrypt on a BB 9320 running 7 OS. (Due to the way in which the encryption keys are stored & also the the fact that the PA method/alternative method does not support version 7 OS).

Cellebrite's PA method will work, but only on certain models of BB running mostly under v5 OS.(following testing and further assistance).

There is an alternative method using an LE tool, however for this model also at this stage it is not possible to extract the encryption keys, due to the way they are stored for this model.

So, yes i was defeated on this occasion! evil

 
Posted : 02/12/2013 2:33 pm
Share: