Friday, May 6, 2016

Decrypting WhatsApp crypt9

This is a quick tutorial on how to decrypt WhatsApp crypt9 databases.

  • an Android emulator (I used BlueStacks)
  • WhatCrypt app by TripCode - WhatsApp Database Crypt Tool (I know there is a web version of this tool, but that's something I'm not allowed to use)

For the following steps, the two tools require no internet connection to work.

  1. Run BlueStacks
  2. Drag and drop the .apk file from your PC to the emulator window in order to install WhatCrypt
  3. There's a shared folder between the host and the emulator located in: C:\ProgramData\BlueStacks\UserData\SharedFolder
  4. Copy into this folder the WhatsApp key file and your crypt9 databases. Rename the key file to whatsapp.cryptkey otherwise WhatCrypt won't be able to detect it.
  5. Run WhatCrypt
  6. Click WhatsApp database
  7. Double click on Encrypted Database Path
  8. Navigate to the path /storage/sdcard/windows/BstSharedFolder and select the crypt9 db you need to decrypt
  9. Double click Key File Path
  10. Select the whatsapp.cryptkey file
  11. Click Decrypt Database

Done! A SQLite database named msgstore.db will appear in the SharedFolder on your computer.

Saturday, April 2, 2016

WhatsApp chat parser for Windows Phone 7.8

WhatsApp messages are stored in a SQLite3 database named messages.db in the path \Applications\Data\218A0EBB-1585-4C7E-A9EC-054CF4569A79\Data\IsolatedStore. Contacts are stored in contacts.db.

Contacts.db has no embedded pictures. Contact profile pictures are stored in the subfolder profilePictures. These files are named in the format MobileNumber@s.whatsapp.net_thumb with no file extension.

Messages are stored in the table Messages of the database messages.db. The KeyFromMe field indicates if a message was received (value 0) or sent (value 1). The same table has a field named BinaryData which contains a small thumbnail of the multimedia attachment. The table MessageMiscInfos could contain a larger thumbnail in the LargeThumbnailData field. The common field between the two tables is the MessageID.

The version number of the application is stored in the file named version. The WhatsApp version 2.11.670 shown below was released late February 2015.

Based on these findings, I wrote a script to automate the parsing. To use it, type: messages.db

The script will create four folders named based on the generated output:

Thumbnails are saved as .jpg files with the name format:

Each conversation is saved as a separate HTML page (each table is sortable by clicking the column header). The html_short folder contains a reduced output with just a few columns. 

If you get the error sqlite3.DatabaseError: file is encrypted or is not a database
when running the script, you have to replace the sqlite3.dll file in C:\Python27\DLLs with the most recent version available here.

Monday, February 8, 2016

Apple Time Capsule: imaging and data extraction

Imaging a Time Capsule
  1. Tear down the Time Capsule (iFixit provides a detailed guide)
  2. Clone the Time Capsule hard disk to another hard disk (drive-to-drive copy). I used a hardware duplicator for this step. You'll need the cloned drive later.

Data preview

In my case the sparsebundle files were stored in "/volumes/Backup/ShareRoot". FTK Imager will just show a number of files of 8 MB in size.

Data extraction


Steps to follow
  • Connect the cloned drive in RW mode to your Mac and choose not to use it as a Time Machine drive.
  • Connect to your Mac an additional drive of the same capacity as the Time Capsule drive. In case your Mac doesn't have enough USB/FW ports, you can copy (drag and drop) the sparsebundle files to the internal drive on your Mac.

  • Mount a sparsebundle file in RO mode by typing in the terminal:

         hdiutil attach -readonly yourfilename.sparsebundle

  • List now all connected drives:

         diskutil list

  • Clone the mounted sparsebundle to your destination drive (you must be root for this):

         dcfldd if=/dev/diskMountedSparseBundle of=/dev/diskDestinationDrive conv=noerror,sync

Once finished with dcfldd, unplug the destination drive. As a final step, capture a compressed forensic image of the destination drive. A compressed E01 image will be more or less the same size as the relative sparsebundle file.

You have to repeat all the steps for each sparsebundle file.

If you know a quicker way, please let me know.