Now Reading
Decrypting encrypted WhatsApp databases without the key

Decrypting encrypted WhatsApp databases without the key

Every month our lab receives lots of requests to decrypt encrypted WhatsApp databases without the crypt key. In this article we’ll speak about available methods of the key extraction or recovery and the perspectives of decryption of encrypted WhatsApp databases without the crypt key.


WhatsApp crypt key location


So, what is the crypt key? It is a file with “key” name stored in  userdata/data/сom.whatsapp/files/.



Figure 1. The “key” file


The crypt key extraction and recovery


The main problem of decryption encrypted WhatsApp databases is that the key is always stored on the device, but encrypted databases can be also stored on it’s SD card, for example.



Figure 2. Encrypted WhatsApp databases


Usually to extract the crypt key a digital forensic examiner must perform a physical extraction from the device. But it’s not always possible due to software and hardware issues of some mobile devices. Of course, there are methods of extraction the crypt key from non-rooted devices, but these techniques can be applied to a limited number of devices.

If your client has the SIM-card used for the crypt key generation on the examined device, we can get a new key via reinstalling WhatsApp. The new key can be used to decrypt old databases.

The crypt key mining: a digital forensic examiner can try to recover the deleted key from the examined mobile device. Of course, you’ll need a physical image of the device. Extract strings and choose those with morphology similar to the crypt keys. Then try to use these keys to decrypt the encrypted databases you got.


The perspectives of decryption of encrypted WhatsApp databases without the crypt key


Nowadays there are no public solutions for decryption of encrypted WhatsApp databases without the crypt key.



Figure 3. Decrypted WhatsApp database (confidential information is not displayed)


In our opinion there are two main ways to solve the problem:

  • reverse engineering of WhatsApp code in order to understand the encryption algorithm. Very often the bugs in code allow the forensic experts to make development of decryption methode much easier, or even find backdoors which help to decrypt the data very quick;
  • using mainframes or clouds to brute-force the crypt key. This technique shows very good results in password recovery and data decryption. Of course, it’s too expensive to use for WhatsApp databases decryption.

If you have any questions on WhatsApp databases decryption feel free to contact us using this form.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

Leave a Response