2nd International Engineering Conference (IEC 2017)

Federal University of Technology, Minna, Nigeria

Forensic Acquisition of Data from a Crypt 12 Encrypted Database of

Whatsapp
John K Alhassan, Bilikisu Abubakar, Morufu Olalere, Shafi'i Muhammad Abdulhamid and Suleiman Ahmad
Department of Cyber Security, Federal University of Technology, Minna, Nigeria.
[email protected], [email protected], [email protected],
[email protected], [email protected]

ABSTRACT
Mobile phone devices have become popular among every age and social grouping in every society and are utilised by lots of
people for different purposes. As the design of Mobile phones are continually evolving due to advancement in present
technologies, applications that run on them are also being updated to fully utilise features on new devices. Due to the
flexibility and portability coupled with applications that make communication easy and accessible, these devices are now
mostly used to perform e-transactions, social networking and even criminal activities. One of such applications is WhatsApp
which over various versions have tried to maintain the confidentiality and integrity of messages sent and received using
WhatsApp. Securing of data from Criminals or unauthorized users called for constant updating of the encryption scheme of
the SQLite database which is usually saved on the memory of the device on which it is installed. Over many updates of
WhatsApp, the encryption has been changed from db.crypt, db.crypt5, db.crypt7, db.crypt8 to db.crypt12. There is need for
forensic expert to constantly update their knowledge so as to get the needed information from the database. This study
presents a forensic process of extracting WhatsApp data from db.crypt12, which is the latest SQLite Database encryption
used by WhatsApp to secure stored communication data. The steps involve using some open source tools that can be
downloaded for free on the internet.

Keywords: Forensic Analysis, Whatsapp, Mobile Phones, Database

help the legal teams or law enforcement agency, resulting in

1. INTRODUCTION legal evidence production and presentation.

Mobile phone devices are found everywhere in our society, Wikipedia describes WhatsApp Messenger “as a patented,
utilized by lots of people for different purposes. The different-platform, encrypted instant message client for
flexibility and portability incorporated into the design of smartphones. Internet connection is required to send
Mobile phones differ and are continually changing as messages, documents, PDF files, GIF images, video and
present technologies advance and new technologies are audio messages to other individuals utilizing standard cell
brought in. Smart phone devices are mostly used to perform phone numbers”. The company WhatsApp Incorporated,
e-transactions, used for social networking and even criminal was established in 2009 by the founder Brian Acton and Jan
activities. Koum, who were one-time workers in Yahoo! In February
Most at times mobile phones are used to commit offences, 2014, months after valuation of capital financing round at
the users delete the information that can be linked to an $1.5 billion, WhatsApp was worth $1.5B. Facebook
offence so that evidence cannot be found against them. informed it was buying WhatsApp for $19 billion, its most
Mobile phone forensics analysis is an effective means of enormous procurement to date ("Facebook to Acquire
gathering trails of digital data for criminal evidence, which WhatsApp," 2014)
is much hard to remove (Taylor et al., 2012 & Abdulhamid
et al, 2017). WhatsApp was the major globally common messaging app,
There are different kinds of mobile phone forensics which in August 2014 it has over 600 million active users Olsen
includes recorded mobile phone conversation, mobile texts (2014). WhatsApp made over seven hundred (700) million
messages, digital photos, emails, contacts no. lists and active users monthly and more than thirty (30) billion
mobile digital video recordings (Walnycky et al., 2015). messages where being sent every day Kim ( 2015) in
When evidence is gathered for legal uses, this has to be January of 2015. In April of 2015, the application had over
preserved and kept to avoid damage or removal of essential eight hundred (800) million active users. These large
digital materials through systems built up for data extraction numbers of users has made WhatsApp one of the most
from mobile phone. Usually, mobile phone forensics are suitable digital evidence gathering platforms compared to
used in digital data recovery of deleted contents. These can Over-The-Top services like Skype and other short
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

messaging service options. By September of 2015, the users database (msgstore.db) in an attempt to recover the
had increased to nine (900) hundred million, and by conversations from the chat option even the deleted ones.
February of 2016 it had increased to over one billion. (Statt Only for WhatsApp to respond soon and came up with an
and Nick, 2016). encryption mechanism to safeguard its database (Sahu,
2014).

B. Today

Presently, according to WhatsApp officials they are

considering the conversation database security in a very
important manner, at present WhatsApp database encryption
have custom Advanced Encryption Standard (AES)
encryption algorithm with over 192-bit encryption key
primarily employed for WhatsApp Android Platform. Thus
the previous file msgstore.db is now converted to
msgstore.db.crypt, msgstore.db.crypt5,msgstore.db.crypt7,
msgstore.db.crypt8 and finally msgstore.db.crypt12 which is
encrypted by AES algorithm with 256-bit key (Ibrahim,
2016)

2. REVIEW OF RELATED WORKS

Figure 1: global snapshot of popularity among 6 social networking apps Mobile device forensics is the skill of acquiring digital
(Source: WhatsApp Forensics and Its Challenges for Android Smartphone) prove from a mobile device under forensically sound
conditions using accepted methods. It is an evolving
In February 2016, WhatsApp made users of about one specialty in the field of digital forensics (Lohiya, John, and
billion, making it the most popular messaging application Pooja Shah, 2015). The goal of mobile forensics is the act of
(Statt and Nick, 2016). employing sound methodologies for obtaining data
contained inside the internal memory of a mobile device and
related media giving the capability to accurately report
WHATSAPP APPLICATION BEFORE NOW AND one’s discoveries.
TODAY Abidin (2015) forensically analyzed Instagram, a third-party
application installed on mobile phones. The
WhatsApp data is kept in the Internal Memory of a mobile author conducted forensic investigation on Instagram which
phone. After it has been installed, it automatically operates is a popular social networking application to find out if
with the phone's contacts indicating individuals who are activities carried out with smartphone’s social networking
using WhatsApp already. Whenever a mobile phone device applications are stored in the internal storage of the mobile
which has the WhatsApp application installed on it is turned device and what sort of forensic data can be obtained or
on, the “com.whatsapp” procedure obtains a prompt to start found in the device. The methodology used in this study
the 'External Media Manage' and 'Message Service' services could not show strong evidence that the exhibit (i.e mobile
that functions behind the scene on the mobile phone till the phone) was used to send or transfer images to and from
mobile phone is turned on. Instagram. The authors’ analysis of the Instagram account
discovered in the smartphone was unable to prove that the
device was used at any time to login as administrator.
A. Before Now
Details such as registered email and password were not
Messages exchanged on earlier versions of WhatsApp were found in the device.
kept in 'msgstore.db' which is a SQLite databases. However, In the research work by Walnycky, Baggili, Marrington,
in early versions, security scientists discovered that Moore, & Breitinger (2015) titled “Network and device
WhatsApp chat records were vulnerable, because the forensic analysis of Android social-messaging applications”
database file which keeps the chat records was not acquired forensic data to analyze the network traffic of 20
encrypted. This can result to easy accessibility of the entire widely used instant messaging applications on the Android
conversation chat details such as contacts, images, videos, platform and also device-stored data. The authors rebuilt
and so forth. When this information reaches the internet, some residual content from sixteen (16) out of twenty (20)
security investigators began to research with WhatsApp mobile applications that was examined; pointing to an
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

inadequate security requirements and privacy standard used the File System was Extracted, database files ‘msgstore.db
by the various applications but may be interpreted as and wa.db’ were discovered with chat sessions information.
positive for evidence gathering intent by forensic The authors did not analyze the RAM for any WhatsApp
professionals. application data residues or attempt recovery of erased data.
Al Mutawa, Baggili, & Marrington (2012) in a paper titled In a paper presented by Sahu, (2014) “An Analysis of
“Forensic analysis of social networking applications on WhatsApp Forensics in Android Smartphones” the focus
mobile devices” carried out forensic analysis on three most was on performing forensic analysis by gathering helpful
utilized social networking mobile apps on smart phones: forensic data from WhatsApp and from corresponding
Facebook, Myspace and Twitter. They carried out a test on mobile applications installed on an Android smartphone.
three widely used smartphones: Android phones, The method the author applied was that a Python tool was
BlackBerrys and iPhones. The tests include installation of used to decrypt and read the encrypted database with the
these applications on selected devices, carrying on similar latest version of WhatsApp 2.11. 186. However, after phone
user actions on each application. The authors acquired a reset, artefacts became irretrievable and erased data
forensically good logical image of all the devices used, then irrecoverable.
performed a manual analysis of each of the logical image. Forensic Analysis Android Smartphones with WhatsApp
These analyses were intended at detect if activities application installed was considered by Thakur (2013). The
performed by these applications were kept on the device’s approach focuses on WhatsApp application. The author
internal memory. Their results showed that chat messages describe how forensic experts can acquire helpful forensic
from android phone were recovered. However, no traces information from android devices running WhatsApp and
could be found on BlackBerry devices. similar applications installed on a mobile device running
Karpisek, Baggili, & Breitinger (2015) carried out a Android. The author performed a real-time analysis on an
research to decrypt and understand WhatsApp call signaling Android smartphone to acquire user interaction details from
messages. The authors described how network traffic was the application. The evidence collection process
decrypted to acquire forensic artefact’s that pertain to a new concentrated on getting and analyzing of user application
feature for placing call which includes WhatsApp audio data from the device’s external storage and the RAM of an
codec (Opus), WhatsApp phone numbers, WhatsApp call Android device. Although the tool the authors used could
duration, WhatsApp server IPs, and WhatsApp's call extract user data from RAM their work could not interpret
termination. The tools and methods used to decrypt the data extracted from RAM into human readable form. Also,
traffic as well as their findings with regard to the WhatsApp the tools they used were not customized to display user
signalling communications was explained. specific information, the tool could only highlight three
Anglano, Canonico, & Guazzone (2016) present an aspects of user data that is to say messages they exchanged,
approach focuses on presenting forensic analysis of the contact numbers of users along with database queries which
artefacts generated on Android smartphones by Chat Secure, disclose the basic structure of database for WhatsApp.
a secure Instant Messaging application that provides strong In this work, a forensic method of extracting data from a
encryption for transmitted and locally-stored data to ensure crypt12 encrypted WhatsApp database stored on an android
the privacy of its users. The methodology used was based mobile form is presented furthering research in the area.
on the use of emulated devices that provides a very high
degree of reproducibility of the results, and validated the
results it yields against those obtained from real 3. RESEARCH METHODOLOGY
smartphones. The main aim of this study is to forensically extract data
Mahajan, Dahiya, & Sanghvi (2013) present a paper titled stored by WhatsApp with a crypt 12 SQLite database on
“Forensic Analysis of Instant Messenger Applications on android mobile device. The goal of the research was reached
Android Devices” carried out a forensic analysis of two successfully.
popular instant messaging applications (IMs) on an Android
smart phones: WhatsApp and Viber, with the objective of A. Performing Forensics Analysis on WhatsApp Data
finding out what data or information can be extracted from Using Android Smartphone
the internal memory of the device’s for instant messengers. To perform forensic analysis for the purpose of recovering
A Universal Forensic Extraction Device (UFED) Classic evidence from a crypt12 encrypted database on an android
Ultimate (V 1.8.0.0) physical analyzer was used to analyze mobile device, a set of tools/software’s are required. These
the two applications. In the instance of WhatsApp, they tools are
found chat message artefacts, sent file names, send and
received timestamps were obtained. However, it was not
possible to determine the locations were those files are
stored. While manually testing WhatsApp application after
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

TABLE I. LIST OF HARDWARE AND SOFT WARE USED FOR FORENSIC The database must be decrypted on the device to the legacy
ANALYSIS
Cypt encryption which the WhatsApp xtract tool is able to
Requirements Specification extract a SQLite readable database from. To achieve this,
Android Smart phone Infinix hot tab on the third option on the Omni crypt app interface
“enable crypt 6 – 12 backups”. You will receive a pop up
WhatsApp Application Version 2.17.2
alert saying it has been enabled.
HP Envy intel core This allows the Omni Crypt app to locate the WhatsApp
Forensic WorkStation
i7
database folder on the SD card (default memory where
Omni crypt Version 3.0.2
WhatsApp is installed). If the device does not contain an SD
WhatsApp extract Version 2.2 card, Omni crypt will detect the default memory (Phone
storage). You may now proceed to tap on “decrypt
SQlite DB Browser Version 3.9.1
WhatsApp Database”

B. Preparing the Android device under forensic

investigation.
The first step to perform acquisition of WhatsApp database
file is turning off the mobile or switching it to flight mode to
ensure that it is disconnected from all external networks.
The omni crypt android application discussed in section
3.2is then installed on the device. The app is free for down
load on android playstore at
https://play.google.com/store/apps/details?id=com.omnicryp
t&hl=en.

Figure 3: Decrypting the WhatsApp database

On taping the option on Figure 2, Omni crypt decrypts the

last backed up database from. crypt12
(Msgstore.db.crypt12) to legacy .crypt (Msgstore.db.crypt)
shown in Figure 3 using a key stored on the device which it
finds and uses to create a copy of the database with that
encryption. This is the copy of the database that will be
copied to the forensic workstation for decryption to an
unencrypted database that can be opened and viewed by the
SQLite DB browser.

Figure 2: Omni crypt app user interface installed on the device

 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

key that is stored inside the RAM of the mobile device.

However, before copying the database from the device onto
the work station, click on internal memory folder and browse
to WhatsApp folder to find the database folder which
contains WhatsApp database file as shown in figure 7

Figure 6: WhatsApp folder in SD card

Figure 4: .crypt database created from .crypt12 database using Omni.

C. Retrieving the database from the Android device

under forensic investigation.
The device must now be placed on developer’s mode by
navigating to Settings > About > Software Information >
More. Then tap the devices “Build number” seven times to
enable Developer options. Return to Settings menu and you
will see “Developer options” there. Tap on it and turn on
USB Debugging from the menu on the next screen. (Figure
5).
Figure 7: WhatsApp database from the mobile device under investigation.

The next step is the database file retrieved from the android
device under investigation should be placed in the WhatsApp
Xtract folder (figure 8).

Figure 5: Enabling USB debugging on Android device.

Using an appropriate USB cable, connect the mobile device

to the forensic workstation. On connecting successfully, the
mobile device will display in My Computer as Portable
Media Player.
Double click on the mobile device and Browse to the
folder named “WhatsApp” and then browse in a folder
named Databases. (Figures 6). Since these databases are
encrypted and cannot be viewed directly, we require a cipher Figure 8: Database file placed in WhatsApp Xtract
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

workstation. Once this is done, the browser displays a list of

The extract tool is run using Whatsapp_extract_andriod tables present on the database store which include the
script to decipher the crypt database as shown in figure 9. chat_list, frequents, group_participants,
group_participants_history, media_refs,
media_streaming_sidecar, messages, messages_fts,
messages_fts_content and other tables. Tables can be
switched by clicking on the drop down menu of the on the
browse data tab and selecting the desired table (Figure 11)

Figure 9: The database file after running the extract tool

The database can now be viewed with the DB browser tool.

Figure 11: Switching database tables to view various stored data with the
DB browser

On selecting the appropriate table for exploration, a

forensic investigator will see all the data stored and used by
WhatsApp on that table. The message table contains all
Figure 10: Database tables after decryption and viewing with the DB
browser messages sent to and from contacts on the android device.
The mobile number of message recipients and senders are
Figure 10 shows the tables on the database that was stored under the field key_remote_jid in the format mobile-
decrypted from the android device under forensic [email protected] while the messages are stored in the
investigation. There are 16 tables on the database with 16 field data (Figure 12). The timestamp (unix format) media
indices. The tables are url (reference to images, video and audio files stored in the
chat_list,frequents,group_participants,group_participants_his media folder of WhatsApp on the external memory card).
tory,media_refs,media_streaming_sidecar,messages,message Media name and cation fields also exist to store those data
s_fts, messages_fts_content, etc. for media files for which they exist. The send and receive
time stamp for each sent and received messages are also
captured on the database. Although fields exist for storing
4. RESULTS AND DISCUSSION the longitude and latitude of possible the device of the
sender, none where recorded on the database table (Figure
Prior to applying the methodology employed in this
13)
study, it was impossible to read or write into the SQLite
database stored on the android device SD card. This is now
possible as shown in Figure 10. The resultant database store
(msgstore.db) can be explored using the DB browser for
SQLite Database by opening the database with the software
tool. This can be done by clicking the open database tab and
navigating to where the database is stored on the
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

Although images are not stored on the database, it

contains a table that stores the image paths as stored on the
SD card (Figure 14).

Figure 12: Contacts stored as remote keys and corresponding

sent/received messages

Figure 14: Media reference files stored on the media_refs table

The study was able to reach the same results as those of

Gudipaty (2015) who decrypted a now legacy version of the
encrypted database which uses a .crypt7 encryption key.

5. CONCLUSION

The methodology discussed in this study presents a

forensically sound method of extracting data from a crypt12
encrypted database with a standard approach that can be
applied to any forensic investigation that involves obtaining
evidence from WhatsApp messenger on an Android
smartphones. The procedure involves using a couple of open
source tools to extract conversations from an android device
under investigation which are encrypted with a crypt12
encryption at the time of this study and stored on the
external memory card (SD Card) of the device if present or
the internal memory of the android device if SD card is not
Figure 13: Empty longitude and latitude fields present.

Although the longitude and latitude positions are

currently not being captured, it is safe to infer that the 6. RECOMMENDATION
developers are presently working on an update of the The major difficulty for any forensic investigation is the
application that stores this details on the SQLite database constant updating of the encryption standard used by
which will be a vital information to forensic investigators as
WhatsApp application to protect the backups that are stored
they will be able to determine the location of the device
on the device from unauthorized read and write access.
owner when messages are sent and received.
Earliest versions of the application stored backup copies of
the database in a plain unencrypted manner making them
 2nd International Engineering Conference (IEC 2017)
Federal University of Technology, Minna, Nigeria

easily readable and vulnerable for malicious users to exploit. Investigation, 15, 110-118. doi:
The current version of WhatsApp uses crypt12 encryption http://dx.doi.org/10.1016/j.diin.2015.09.002
keys which was formally crypt8. It is therefore very Kim, E. ( 2015). "WhatsApp's Insane Growth Continues:
100 Million New Users in 4 Months". Business Insider.
important for forensic investigators to keep themselves up to Lohiya, R., John, P., & Pooja Shah (2015). Survey on
date about the current encryption of WhatsApp databases Mobile Forensics. International Journal of Computer
and available techniques that may be used to retrieve data Applications, 118(16).
from such database backups for the purpose of presenting Mahajan, A., Dahiya, M. S., & Sanghvi, H. P. (2013).
forensic investigation. Forensic Analysis of Instant Messenger Applications on
Android Devices. International Journal of Computer
Applications, Volume 68– No.8.
Olsen, P. (2014). WhatsApp Hits 600 Million Active Users.
REFERENCES Forbes.
Abdulhamid, S. M., Abd Latiff, M. S., Chiroma, H., Osho, Sahu, M. S. (2014). An Analysis of WhatsApp Forensics in
O., Abdul-Salaam, G, Abubakar, A. I. and Herawan T. Android Smartphones. International Journal of
(2017), "A Review on Mobile SMS Spam Filtering Engineering Research, Volume No.3(No.5), 349-350.
Techniques", IEEE Access, DOI: Statt, & Nick. (2016). "WhatsApp has grown to 1 billion
10.1109/ACCESS.2017.2666785. users". Retrieved September 10, 2016
Abidin, N. Z. B. Z. (2015). Forensic Analysis Of Third Thakur, N. S. (2013). Forensic Analysis of WhatsApp on
Party Applications: Instagram. Forensic Focus. Android Smartphones. (MSC in Computer Science,
Al Mutawa, N., Baggili, I., & Marrington, A. (2012). Information Assurance), University of New Orleans,
Forensic analysis of social networking applications on University of New Orleans.
mobile devices. Digital Investigation, 9, S24-S33. Walnycky, D., Baggili, I., Marrington, A., Moore, J., &
Anglano, C., Canonico, M., & Guazzone, M. (2016). Breitinger, F. (2015). Network and device forensic
Forensic analysis of the ChatSecure instant messaging analysis of Android social-messaging applications.
application on android smartphones. Digital Digital Investigation, 14, Supplement 1, S77-S84. doi:
Investigation, 19, 44-59. doi: http://dx.doi.org/10.1016/j.diin.2015.05.009
http://dx.doi.org/10.1016/j.diin.2016.10.001 What Is an Android Phone? . Retrieved 02, December,
Facebook to Acquire WhatsApp. (2014). [Press release] 2016, from https://www.lifewire.com/definition-of-
Ibrahim, M. (2016). How to Decrypt WhatsApp crypt12 android-phone-578661
Database Messages. Retrieved October 30, 2016 WhatApp. wikipedia. "Whatsapp Video Calling" (blog).
Karpisek, F., Baggili, I., & Breitinger, F. (2015). WhatsApp Retrieved Dec 18, 2016.
network forensics: Decrypting and understanding the
WhatsApp call signaling messages. Digital