When extracting data from WhatsApp you may encounter a problem that not all expected data such as messages, call logs was included in the final report due to these data being end-to-end encrypted by developer/manufacturer. Globally, encrypted applications have become a challenge for mobile forensic science.
WhatsApp's end-to-end encryption ensures only the sender and the receiver can read or listen to what was sent, and nobody in between, not even WhatsApp. This is because, with end-to-end encryption, messages are secured with a lock, and only the recipient and sender have the special key needed to unlock and read them.
The good news is, that WhatsApp media are stored in the media folder, therefore can be located without root access. If you are using the “browse phone” function, the data will be stored on the following path: phone/application0/com.whatsapp/live_specific/Media…
If we speak within the limits of forensic analysis there are a few steps we need to follow to get the best result as much as possible. There are a few ways how to extract your needed information and that is by:
Rooting / Jailbreaking your device
Creating a physical image of your device
Using an App downgrade function in our software MOBILedit Forensic
1) Rooting / Jailbreaking
Most Android devices should be able to be rooted. However, the process of rooting is specific to each phone model, version of Android, and build number, so you always need to find the right tool according to your phone model.
You can root a majority of older Android phones using an app called KingoRoot, if for some reason this method doesn't work for you (locked bootloader, Knox, etc.), you may be able to find help on how to root your phone at XDA Developers, which is a website with a large active user community dedicated entirely to Android smartphones.
Please note that sometimes it is necessary to unlock your phone's bootloader in order to root it. You can find a step-by-step tutorial on how to unlock the bootloader on your phone manufacturer's webpage.
Once rooting has been completed successfully the phone is then switched to so-called "rooted mode", and you then will be able to extract and analyze the deleted data.
Rooting your phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible.
There are three ways of jailbreaking your iOS:
Tethered - This method requires you to connect your iPhone to your computer and use an external application to jailbreak it. Once you restart your iPhone, the jailbreak is undone, but please note: your device will not be usable until you jailbreak it again using the same method.
Semi-tethered - This method doesn't require you to connect your iPhone to a computer in order to jailbreak it, however, the jailbreak is still undone every time you reboot your device, or, after a certain amount of time passes.
Untethered - This method doesn't necessarily require a computer to perform a jailbreak on your device and also modifies the iOS on a deeper level which means that no matter how many times you reboot your device, it stays jailbroken until you manually "un-jailbreak" it.
There are specific known ways to jailbreak almost every iPhone, iPad, or iPod Touch running on almost every iOS, except the latest releases - as it usually takes a few months to find a way of jailbreaking the newest version of iOS.
This means that there is no way of describing them all in a single article.
However, currently, the most often used apps for jailbreaking iOS devices are Pangu or Cydia Impactor. You can learn more about how Cydia works on the app developer's official website at this link, or you can read this article which describes a simplified process of iOS jailbreaking.
You can see a full list of available jailbreaks for each device and version here.
Jailbreaking a device may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
2) Creating a physical image of your device
There are many ways how to create a physical image from a device. You can, of course, use some tools of your own and use our software for extraction but our product MOBILedit Forensic does offer some tools as well:
There is a way of extracting a physical image from phones with MediaTek chipsets without root access (rooting the phone).
This exploit method does not work on all MTK-equipped devices, but sometimes it is the only way of acquiring the physical image because the phone does not have to be booted up or unlocked in order to perform this operation; which means you can try even if the phone is off or locked.
This will not work for most MTK devices with locked bootloaders. In order to use MTK hack on such devices, the bootloader has to be unlocked first.
More information about how to use MTK Hack in MOBILedit Forensic can be found here.
There is also a way of extracting physical images from phones with Qualcomm chipsets without root access (rooting the phone).
This exploit method does not work on all Qualcomm-equipped devices and it is best when used with an EDL cable.
More information about how to use EDL Hack in MOBILedit Forensic can be found here.
The "LG Hack" feature works on all LG smartphones with the new version of the LG LAF protocol (this is a service download mode similar to Samsung Odin download mode). One of the first devices to feature this version was the first LG G flagship.
Every LG smartphone from the year 2013 and newer should, therefore, support our LG hack.
With some of the - LG G4 for example - you are even able to browse the phone's filesystem via the "Browse Phone" option in Forensic.
This exploit takes advantage of "LG Flash Mode" - used primarily for updating firmware.
More information about how to use LG Hack in MOBILedit Forensic can be found here.
The device has to have its bootloader unlocked in order to proceed with this method.
Every Android phone has a "recovery“ partition which is by default used for performing factory resets using an OEM’s preloaded tools. However, this partition can be modified in order to replace the default tools with third-party recovery tools such as TWRP.
These recoveries are (unlike the stock ones) capable of modifying all the internal system partitions of your phone or tablet (they need this capability in order to flash custom firmware).
TWRP even comes with a built-in file manager with unlimited root access so you can modify, add or delete any system files manually. This process allows you to gain physical images, therefore bypassing the otherwise locked device´s protection.
However, if the image is encrypted by the system itself, we are only able to get the encrypted physical image.
More information about how to use the TWRP method in MOBILedit Forensic can be found here.
MOBILedit Forensic can also use a Dirty cow (Dirty Copy-On-Write) exploit which can temporarily root a device that has an Android version up to 7.
The root is removed once the device is restarted.
More information about how to use the Dirty cow exploit in MOBILedit Forensic can be found here.
3) Using an App downgrade function in our software MOBILedit Forensic
Due to better security, some application manufacturers made restrictions on what data can be acquired from their apps. This is especially relevant for non-rooted phones.
To bypass this we have introduced the App downgrade, feature in MOBILedit Forensic, which will downgrade the apps to a version, in which there was no problem in obtaining the data from them directly.
Please note that only some apps support this feature as of yet, although we are working on expanding their list.
More information about how to use the App downgrade in MOBILedit Forensic can be found here.
4) Captured phone photos
At last but not least there is always an option to simply capture screenshots of your mobile screen - for example, while having the WhatsApp chat open. This method might be lengthy, however, it is a very effective way how to get your desired conversation into the final report if every other method fails.
For more detailed info please visit our article here.