Tuesday, May 15, 2012

WhatsApp Forensics

Those who follow this blog may have noticed few months ago a post that introduced WhatsApp Xtract: this script was able to display in an HTML document all the WhatsApp messages extracted from an iPhone. And those who follow the xda developers forum may have recently noticed a thread on it.
This last month, thanks to Martina Weidner (aka ztedd) who has decided to take control of its development, we have obtained valuable results.


WhatsApp is a widespread instant messaging application for smartphones, available for iOS, Android, BlackBerry, Symbian and Windows Phone. The chance to replace the traditional SMS service avoiding its cost, has allowed this application to gain popularity very quickly. The automatic synchronization of the app to the phone address book, the unlimited message length and the possibility to share an high range of multimedia attachments have persuaded many people... and who cares if it has suffered from some security issues!

Where to find the information:

As numerous apps do, WhatsApp stores all its information on a SQLite database: the location and the structure of the database are different from platform to platform.


If you choose to avoid the rooting of the device (remember the digital forensics best practices!), you will be only able to get an encrypted file from the SD card (/sdcard/WhatsApp/Databases/msgstore.db.crypt). What's the file structure? Random, obviously! Is there a solution? Yes, there is... so far. The WhatsApp Database Encryption Project by Corjens, Spruyt and Wieringa has made known a vulnerability in the Android implementation of the AES cypher: the 192-bit key can be detected performing both static or active analysis on the software package. And the result is:


Just few Python code lines and a decrypted database can be obtained. For further information, read the project report.

Conversely, if you root the device, you will easily reach the plain databases (/data/data/com.whatsapp/databases/msgstore.db and wa.db).
As you can see in the first figure, the database of the Android version is splitted in two files: wa.db contains all the information related to the contacts (id, phone number, status, etc.), whereas msgstore.db stores the messages, including attachments.


iTunes has the capability to automatically synchronize and backup the iPhone content when you plug it with your computer. And the backup is not encrypted by default. So, also avoiding the use of the UFED physical analyzer, it could be possible to find on the computer of a person under suspicion, an enormous amount of data about his iPhone. iPhone Backup Extractor interpretes these data and enables you to extract all the files you want. Application/net.whatsapp.WhatsApp/Documents/ChatStorage.sqlite is the source of information we are looking for.

Unlike the Android version, the tables are here collected in a single file, but the structure is a little more complicated: ZWACHATSESSION and ZWASTATUS have the contacts, ZWAMESSAGE and ZWAMEDIAITEM collect the details on the messages and the attachments.

Main new features:

  • WhatsApp database can be inspected for both iOS (ChatStorage.sqlite) and Android (msgstore.db & wa.db) devices; 
  • Emoticons and attachments (images / video / audio / gps / contacts) are shown in the message content;
  • msgstore.db.crypt (Android) can be decrypted and inspected.

How to use:

  1. Download the archive and extract it to a certain folder on your computer, e.g. C:\WhatsApp;
  2. Copy the database(s) to e.g. C:\WhatsApp;
  3. You need Python and (for Android msgstore.db.crypt decryption) the PyCrypto library;
  4. Run the .bat files provided with the package or type in the console one of the following commands:

    For Android DB:
    > python whatsapp_xtract.py msgstore.db -w wa.db
    OR (if wa.db is unavailable)
    > python whatsapp_xtract.py msgstore.db
    OR (for crypted db)
    > python whatsapp_xtract.py msgstore.db.crypt

    For iPhone DB: (-w option is ignored)
    > python whatsapp_xtract.py ChatStorage.sqlite

To do:

Currently, iOS database analysis could be improved in the handling of attachments (gps / audio) and group messages. We would also extend the support to Nokia and Blackberry versions of WhatsApp, but we don't have enough information on them. Anyone wishing to contribute, with ideas and ... databases to analyze, is welcome!

Follow the updates on the Hotoloti repository and on the XDA Developers Forum!