1

WhatsApp has the option to download a Windows (or Mac) Desktop version. Installation requires pairing the software with a mobile phone.

I have read a similar question about Android devices, and according to this answer, in my case, the Desktop PC would be considered a Secondary Device.

My question is: Which forensic tools and/or methods are available to extract WhatsApp data from a Secondary Device (Desktop PC) when there isn’t any “first device” (i.e. the original mobile device) to extract it from?

Does the Desktop version of Whatsapp store any data (i.e. chats, media files, etc.) on the Desktop machine, and are there any forensics tools or methods to extract such data?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Michael Haephrati
  • 172
  • 11
  • check here C:\Users\[User_Name]\AppData\Roaming\WhatsApp\Cache – yeah_well Aug 17 '19 at 20:32
  • I see files such as data_3, data_2. What format are these files? – Michael Haephrati Aug 17 '19 at 20:40
  • I actually haven't tried it.Copy pasted from quora.Its probably encrypted.Whatsapp data on the phone is encrypted as well. – yeah_well Aug 17 '19 at 20:59
  • Those are sqli database files. WhatsApp doesn't encrypt the data at rest, neither on phone nor on paired desktops. Signalapp does. – defalt Aug 17 '19 at 21:06
  • Well I just tested it using https://sqlitebrowser.org/ and they appear to be encrypted – Michael Haephrati Aug 17 '19 at 21:09
  • They may have started using it now for desktop app. It wasn't this case before. But on phone, data is still stored unencrypted. I checked it last month. – defalt Aug 17 '19 at 21:15
  • I recall during my time in university, we used Magnet Axiom to dump some What's App data from a Laptop. Could have been an older version without encryption though. –  Aug 18 '19 at 11:29

1 Answers1

2

In \WhatsApp\Service Worker\CacheStorage you find unencrypted multimedia files. You have to skip a header and a fake url, which usually finishes in %3D. The rest is a multimedia file. Easiest to recognize are jpg headers, but I also found png, riff, ogg, mp4.

If you have only a few files in Cache and ServiceCache you can find pairs of files with almost matching size (comparing the encrypted f_* files with the header stripped *_0 files, assuming that the f_ is the encrypted version of the _0 file. The f_ files are larger, filled up to the next multiple of 16, plus 10 extra bytes. So one guess was that the original file was padded with 0's up to the next multiple of 16, encrypted, and an iv of size 10 bytes (!) was stored with the file. Or of size 8 and two other bytes.

I have my key to decrypt msgstore.db.crypt12 files (which is pretty useless, because when you have the key you also have the unencrypted msgstore.db). However I didn't succeed.

Mick
  • 21
  • 3