If you have
the possibility to create a physical dump of an Android phone, it is possible
to carve for Encrypted Whatsapp databases in case you will not find them in the actual
filesystem.
We found that the msgstore.db.crypt has a header and footer that seem to be consistent on multiple devices we extracted.
We found that the msgstore.db.crypt has a header and footer that seem to be consistent on multiple devices we extracted.
This helps
us to carve for these files, using the found header and footer:
Header: \x49EF23AEFF or \xB749243065
Footer: \x2426708BF3
Carving these files will probably result in multiple files. To be able to decrypt them, they must each be be named msgstore.db.crypt
(The amount of selected bytes must be devidable by 16)
These msgstore.db.crypt then can be handed over to Whatsapp Xtract.
(Whatsapp Xtract needs the name msgstore.db.crypt. Other names will result in an error)
If the whatsapp database is exported good and complete, Whatsapp Xtract will export an HTML file with the chatmessages out of this database.
Carving these files will probably result in multiple files. To be able to decrypt them, they must each be be named msgstore.db.crypt
(The amount of selected bytes must be devidable by 16)
These msgstore.db.crypt then can be handed over to Whatsapp Xtract.
(Whatsapp Xtract needs the name msgstore.db.crypt. Other names will result in an error)
If the whatsapp database is exported good and complete, Whatsapp Xtract will export an HTML file with the chatmessages out of this database.
Be aware that you will carve the whatsapp
messages from the database that are not deleted OUT of the database. The
freelist will not be carved.
If you load
a corrupted msgstore.db.crypt into Whatsapp Xtract you can get this error:
Be aware: You
might still get a msgstore.plain.db. The
decrypted version of the msgstore.crypt.db.
Although this file will not open using an Sqlite viewer, you are able to open it in Notepad of Notepad++ and find whatsapp messages here and there.