How to get as much data from secure apps - WhatsApp and others

WhatsApp is used here as an example yet, this could easily apply to other secure apps such as; Telegram, Instagram, Facebook, Facebook Messenger, X (Twitter) etc.

We have concentrated on Android for this FAQ as generally for iOS, most apps export data to the encrypted iTunes backup.

When extracting data from WhatsApp on Android, you may encounter a problem where not all the app data can be seen in the final report. Sometimes the media can be extracted, depending on how the app is set up, but messages, call logs and some attachments are not shown in the report.

This is due to the app security and app sandboxing. The app developers secure the contents and app data for user privacy and security. The data can only be read through the app UI once the device is unlocked and the app is signed into and if a code has been set, that code is entered regularly.

WhatsApp's end-to-end encryption is not the reason the data cannot be extracted as this relates only to when the data is in transit.
This ensures only the sender and the receiver can read or listen to what was sent, and nobody in between, not even WhatsApp. This is because, with end-to-end encryption, messages are secured with a key and only the recipient and sender have the special key needed to unlock and read them.

The good news is, that most of the time, WhatsApp media is stored in the device media folder, and can therefore be accessed without root access.

If using the “browse phone” function, the data will be stored on the following path: phone/application0/com.whatsapp/live_specific/Media…

If we speak within the limits of forensic analysis we need to follow a few steps to get the best result and as much data as possible. There are a few ways how to extract the information and that is by:

• Rooting - gain root access on your device for logical or physical extraction.

• Physical image - a bit-by-bit copy of the device storage memory (as long as the image is unencrypted or able to be decrypted)

• App downgrade - downgrade the app to a version of the app that was still exporting data to the ADB backup.

• Camera and screen capture

  • Smart screenshots (Android only) - Fully automated screenshots include text and attachment extraction.

  • Phone photo sequence (Android only) - Semi-automated screenshot sequences, guided by the examiner.

  • Manual screenshots (iOS & Android) - Manual single screenshot sequences, guided by the examiner.

• Jailbreak - For iOS, WhatsApp data is provided in the encrypted iTunes backup but if no data is present, consider jailbreaking.

Rooting

Most Android devices should be able to be rooted, although the process is specific to each phone manufacturer, model, Android OS version, chipset and security patch level. There may be one or more ways to get root access or, there could be none available.

Within MOBILedit Forensic Security bypassing, there is the “Rooting” option. This uses one of four temporary exploit methods to gain root access, giving further options for a logical extraction, which will provide a full file system or, create a physical image. (See “Physical” below)

The temporary rooting methods rely on the security patch level not being higher than March 2020 and, if successful, will give access to secure app data.

Some other methods that can give root access, such as Fastboot, Recovery or Odin, require flashing a custom recovery to the device. Using these methods requires the bootloader to be unlocked which, deletes the User data. As the User data is what we are interested in, it is therefore not a viable option for forensic investigations.

Rooting a phone may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.
Rooting a Samsung device will trip the Knox Warranty void flag which will make the data stored in Knox permanently inaccessible.

Physical image

There are multiple methods to create a physical image of a device and MOBILedit Forensic offers some tools to help you do so.

The most important consideration is whether or not the physical image would be encrypted. If you have MOBIledit Forensic ULTRA it is possible to extract and decrypt physical images from devices with Mediatek, Kirin and Exynos chipsets. With MOBILedit Forensic PRO it is possible to extract physical images but if they are encrypted, they cannot be re-imported. You would have to use ULTRA, import the physical and extract the encryption keys from the original live-connected device.

If you already have an unencrypted physical image, it can be imported to MOBILedit Forensic PRO or ULTRA.

Here are some methods you can use within MOBILedit Forensic PRO.

• Get physical dump from MTK - extract a physical image from phones with MediaTek chipsets without root access.

• Get physical dump from EDL - extract a physical image from phones with Qualcomm chipsets without root access.

• Get physical dump from Spreadtrum - extract a physical image from phones with Spreadtrum or Unisoc chipsets without root access.

• Get physical dump from LAF - extract a physical image from LG phones, with LG advanced flash, and without root access.

• Get physical dump from recovery - extract a physical image from phones by using recovery mode to flash a custom recovery.

App downgrade

Due to better security, some application manufacturers impose restrictions on what data can be acquired from their apps, outside the app UI. This is especially relevant for non-rooted phones. If it isn't possible to get root access on a device or an unencrypted physical image, the App downgrade function is a way to get readable app data.

To bypass these restrictions we have introduced the App downgrade feature in MOBILedit Forensic, which will downgrade the apps to a version when there is no problem obtaining the data from them directly.

Read the User Guide section on using App downgrade in MOBILedit Forensic.

Captured phone photos

Use "Camera and Screen Capture" to take screenshots from your device or import images to be projected into a message. This can be useful for retrieving data/chats from apps where you cannot obtain data using root access, get an unencrypted physical image, or use App downgrade. Click on the links below to read more:

• Smart screenshots (Android only) - Fully automated screenshots include text and attachment extraction.

• Phone photo sequence (Android only) - Semi-automated screenshot sequences, guided by the examiner.

• Manual screenshots (iOS & Android) - Manual single screenshot sequences, guided by the examiner.

Jailbreaking

If you have an iOS device and are not seeing the app data in the report after extracting with an encrypted iTunes backup, and the app is supported, you can try jailbreaking it.

Read more about jailbreaking in the User guide.

Jailbreaking a device may void the manufacturer's warranty and could cause security risks. Please take this into consideration before performing this process.