Carving Encrypted Whatsapp databasefiles from Andoid phones

If you have the possibility to create a physical dump of an Android phone, it is possible to carve for Encrypted Whatsapp databases in case you will not find them in the actual filesystem.
We found that the msgstore.db.crypt has a header and footer that seem to be consistent on multiple devices we extracted.

This helps us to carve for these files, using the found header and footer:

Header:               \x49EF23AEFF or \xB749243065

Footer:                \x2426708BF3

Carving these files will probably result in multiple files. To be able to decrypt them, they must each be be named msgstore.db.crypt
(The amount of selected bytes must be devidable by 16)

These msgstore.db.crypt then can be handed over to Whatsapp Xtract.
(Whatsapp Xtract needs the name msgstore.db.crypt. Other names will result in an error)

If the whatsapp database is exported good and complete, Whatsapp Xtract will export an HTML file with the chatmessages out of this database.

Be aware that you will carve the whatsapp messages from the database that are not deleted OUT of the database. The freelist will not be carved.

If you load a corrupted msgstore.db.crypt into Whatsapp Xtract you can get this error:

Be aware: You might still get a msgstore.plain.db.  The decrypted version of the msgstore.crypt.db.

Although this file will not open using an Sqlite viewer, you are able to open it in Notepad of Notepad++ and find whatsapp messages here and there. 

Recovery Mode of a Samsung Galaxy

By using the volume up button and the power button of a Samsung Galaxy, you can get into the recovery modus.  As soon as the Androidlogo apears and the touchscreenlits up, you must touch the left button (next to the home button) 

The screen will darken and after a few seconds you will get menu-options, which you can select by using the volume up and down buttons. 

You can navigate to “wipe data/factory reset”.

For security reasons you have to confirm by navigating to : “Yes **  Delete al user data”

One would expect after a wipe data, there will be no data left to be found. 

Never the less there is a lot to be found!

After the above mentioned factory reset, we imaged the phone using the UFED Touch. 

A full physical image was made (there was no micro SD Card in this phone. 

After the extraction of the phone we found there where at least pictures to be found. 

The image was looked at in Winhex.

Here we saw there where traces of Whatsapp to be found. 

Whe mounted the image and saw multiple user-folders, containing user-data. 

The folder DCIM/Camera/ contained pictures and movies. 

The folder Whatsapp/Database/ contained several whatsapp databases, containing chat history. 

Using Belkasoft Evidence Center, we investigated traces of other use of the phone. we found traces of the use of Twitter, Kik, Whatsapp, Facebook and SMS. 

After a factory reset there might be traces to be found....If it is important, be sure you wipe the device properly.  

iMessages in Encase

To find usefull iMessages on an iPhone, we created a "lightgrep"  grep-expression.
Lightgrep is an addon for Encase that can be very usefull if you use searching with keywords and/or Grep expressions in Encase every now and then.

To find all "complete"  iMessages we used:

iMessagep.[^0A]{50,1024}

This resulted in all the iMessages with a maximum lengt of 1024 (longer ones are cut off)

MyUTN50 (dongle) usb-server

After reading some posts about dongle-servers I became enthousiastic, because we use a lot of dongles here for all kind of programs.
I found that the MyUTN50 USB server was used as dongleserver too and it is affordable.
So I though I would give it a try. Bought a MyUTN50, installed it in 3 minutes....
Installed it over a VPN on another computer in 5 minutes....
And was up and running in less the a total of 10 minutes....

Running my software remote with my dongle local (over 100 miles away)
That is awesome and I want to share this with the world...but as you might know if you are in the same business...nobody understands what you are talking about :(

Right click and activate and you "own" the software....

Update 18-02-2012:

Although configuring was less easy (mostly because of my routersettings) it is possible to make the UTN-Manger available over the internet.
I can now access my dongles from over the globe which gives me huge possibilities.
This way I can install my software on a remote computer and access my local dongle, so I can run different tools remotely without the need of shipping or bringing my dongle to clients !!

SMS-recovery out of an iPhone

I will write this in Engllish as I know there are a lot of questions about extracting SMS-messages out of iPones around the globe. As long as sms-messages are still in their filestructure, you will be able to get them out using a sqlight browser.

But what if you have the feeling that there are more SMS-messages to be found in the iPhone, but the tools you use (if you have any) can't get them out.
In an ongoing investigation we had such a thing, that made us look deeper into the raw data.

To find the end of SMS-messages, we used:
\x00\x6E\x6C\x01

better but with more false positives, (but also more good sms-messages:)
\x00\x6E\x6C\x01|\x00

As \x6E\x6C is the hexadecimal valeu for nl and this iPhone was an iPhone from the Netherlands,
it might be that the hex-valeu differ from country to country. We havent checked that.


In our case we found 122 messages instead of the 14 which where earlier found with the tools, ment for extractinig SMS out of data.


For a way to get a DD of your "Jailbroken" iPhone, take a look at:
http://modmyi.com/forums/file-mods/237321-how-iphone-data-recovery.html

For non-jailbroken iPhones you either have to jailbreak them or contact a specialist to make an image with specialised tools like the Cellebrite UFED.

TomTom triplog files decrypted !!

TomTom uses triplog files to analyse your routings and provide better services to you as a custommer.
For investigations, this information can be very usefull as well.



We are now able to provide you the decrypted TomTom trip-log files and sent you the triplog.kml files with them.Now you can import the valuable data into Google Earth.
See the video impression or take a look at the route on Google maps



_

Twitter geeft antwoord

We weten allemaal dat je binnen Twitter kunt zoeken op allerhande onderwerpen en personen.
Het uitvoeren van gecombineerde zoekvragen maakt de zoekopdrachten veel gerichter.
Zo is het bijvoorbeeld mogelijk om alle tweets te zoeken die binnen een bepaald gebied zijn gedaan (natuurlijk moeten de locatiegegevens (bv via GPS) dan wel meegegeven worden door de twitteraar, want zonder locatiegegevens, geen locatie)

Zelf krijgen we nog wel eens de vraag van klanten:
Komt dat vaker voor? Een harde schijf die kapot gaat?!

Een leuke zoekvraag op twitter wordt dan zoiets als:
https://twitter.com/#!/search/realtime/kapot%20defect%20OR%20%22harde%20schijf%22%20OR%20harddisk%20OR%20%22hard%20disk%22%20near%3A%22utrecht%22%20within%3A100mi

Natuurlijk kun je zelf ook leuke combinaties maken. Twitter heeft daar een mooie pagina voor gemaakt, zodat je geen kennis hoeft te hebben van de operators die gebruikt kunnen worden.

https://twitter.com/#!/search-advanced


Zelf spelen met operators:

harde schijf	bevat zowel het woord "harde" als het woord "schijf" waar dan ook in de tekst.
"harde schijf"	bevat de exacte term "harde schijf"
harde OR schijf	bevat minimaal 1 van de termen "harde" of "schijf"
harde -schijf	bevat de term harde, maar de term schijf mag niet voorkomen in de tekst
#harddisk	bevat de hashtag #harddisk
from:digirec1	verstuurd door digirec1
to:digirec1	Verstuurd aan digirec1
@digirec1	berichten waarin de gebruiker @digirec1 voorkomt
near:almelo within:25km	berichten uit een straal van 25 km van Almelo (bv vanaf mobiele telefoons met GPS geplaatst)

Er zijn nog meer operators, maar met bovenstaande kun je veel zoekvragen maken.