whatsapp recover delete messages

Introduction : WhatsApp Forensics

Introduction

According to Wikipedia “WhatsApp Messenger is a proprietary, cross-platform instant messaging application for smart-phones. In addition to text messaging, users can send each other images, video, and audio media messages. The client software is available for Android, Blackberry OS, Blackberry 10, iOS, Series 40, Symbian (S60), and Windows Phone. WhatsApp Inc. was founded in 2009 by Brian Acton and Jan Koum, both veterans of Yahoo!, and is based in Santa Clara, California. Competing with a number of Asian-based messaging services (like LINE, KakaoTalk, and WeChat), WhatsApp was handling ten billion messages perday as of August 2012, growing from two billion in April 2012”

WhatsApp Now and Before

WhatsApp 2.11.136 (Latest) first installed on more than one Android phone using the Google Play store. The application gets stored in the Internal Memory of the phone. Automatically the app syncs with the phone's contacts showing people already using WhatsApp.

When a phone with WhatsApp installed is turned on, the “com.whatsapp” process receives a signal to start the 'ExternalMediaManage' and 'MessageService' services which run in the background as long as the phone is on.

Before

With the starting version 2.9 any messages exchanged are stored in the 'msgstore.db' which is SQLite databases. The databases are loaded into RAM for faster access of data. Typically all the content may not persist or may be overwritten due to swapping in RAM but this may not be true for Android. Now may be at first sight you did not noticed that your conversation on WhatsApp is no more saved on WhatsApp servers (15days chat records only) hence your all chat records are with you from the first day you starts your communication. As Whatsapp hit the market its main objective was to attract users and increase the total no of user statistics with the rocket speed. But in early versions privacy

concerned persons related to security field found that the chat records which was taken care by WhatsApp was vulnerable, because the file database which saves the chat conversations was not encrypted and can easily accessible through many ways to get the whole conversation details. As this news hits the world wide web, people from security field starts experimenting with WhatsApp database (msgstore.db )to retrieve the conversation even the deleted ones from the chat option. But WhatsApp reacts soon and comes up with an encryption mechanism to protect its database msgstore.db .

Now

After the incident now according to officials from WhatsApp they are taking the conversation database security in a very serious manner ( According to them [add Evil Laugh Here :P] ), now WhatsApp database encryption having custom AES encryption algorithm with above 192-bit encryption key mainly used for WhatsApp Android Platform. So now the previous file msgstore.db is converted to msgstore.db.crypt .

Previous Forensics Methods Used

Before the 2.11. Version of WhatsApp hackers were able to decrypt the encrypted msgstore.db.crypt file without much effort thanks to a WhatsApp Forensic Toolkit known As WhatsApp Xtract Tool having a powerful python script that helps the security professionals to decrypt the encryption of crypt file and after the decryption presents a perfect forensic report through a beautiful HTML interface page with full conversation in it.

I started working on this toolkit but as WhatsApp hits version number 2.11 onwards this kit becomes useless as the encryption key used by WhatsApp was changed, and the developer of Python script till now (12/07/2013) was unable code the decryption mechanism for it. Here is the screen shot which pops up when we tried to decrypt the msgstore.db.crypt.

As you can see the script was unable to decrypt the latest AES encryption algorithm because it is unable to import the latest AES cipher. So for the time being this manual method of decryption WhatsApp chat is disabled. The best we can do is to wait for the new updated python script.

Latest Online Forensic Methods Available

So the last method makes us sad but don’t worry we have some more easy and cool ways to extract the WhatsApp conversations. After my research I found only two websites which brings you facility to extract the chat details in a very easy manner and YES free of cost.

1.  www.recovermessages.com

RecoverMessages was the first site which caught my attention and with a simple google search you can find it, now I am using Android phone so i was looking for a platform which can help me to do this task, but what I found is that this website can decrypt not only Android WhatsApp but also iPhone WhatsApp also.

Here are the step by step ways to perform the method to retrieve the conversation: