Now Reading
Extracting WhatsApp database and the cipher key from a non-rooted Android device

Extracting WhatsApp database and the cipher key from a non-rooted Android device

WhatsApp Messenger is a popular cross-platform mobile messaging app which allows users to exchange free messages. Of course, such messages could contain lots of case-relevant data.
This messenger stores data in SQLite databases. There are two most important databases from a forensic point of view: wa.db and msgstore.db. The first one contains information about contacts, the second – about messages.

Very often a digital forensic examiner can find msgstore files on an Android device’s SD card, but not with db extension, but with, for example, crypt6, crypt7 or crypt8. These are encrypted msgstore backup files.

Of course, if you are examining a rooted device it’s not a problem: you can easily extract the cipher key and the most recent unencrypted msgstore database. But what if the device is non-rooted?

There is a solution! WhatsApp Key/DB Extractor is a tool developed by Abinash Bishoyi which allows a digital forensic examiner to extract the cipher key on non-rooted Android devices. What is more, the script also extracts the latest unencrypted WhatsApp Message Database (msgstore.db) and Contacts Database (wa.db). It’s important to note that WhatsApp Key/DB Extractor supports Android devices with Android 4.0 or higher.

To run the script you can use your favorite operating system: it supports Windows, Mac OS X and Linux. Make sure USB debugging is enabled on the device being examined and Android Debug Bridge drivers are installed.

Start from downloading the archive with the tool, use this link. Unpack the downloaded archive. If you are using Windows – run WhatsAppKeyExtract.bat, else – ./

In this example we are using a workstation with Mac OS X and an mobile device with Android 5.0.1. We run the script: it downloads and installs to the device’s temporary folder WhatsApp 2.11.431 (fig. 1).



Figure 1. Running script

Now the script is ready to extract the cipher key and the most recent Contacts and Message unencrypted databases. To do it, a forensic examiner should unlock the device and confirm the backup operation (fig. 2).



Figure 2. The script has successfully finished the task

The script copies the cipher key file and two unencrypted databases – wa and msgstore. Also it updates WhatsApp’s version to the original one. Now an examiner can use the cipher key to decrypt databases, for example, found on device’s SD card.

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics


Leave a Response