WhatsApp Forensics

With more than 1.5 billion users and 5.5 billion messages per day, WhatsApp is without a doubt the most popular messenger in the world. All messages sent using WhatsApp have end-to-end encryption, meaning they are unreadable if intercepted by anyone, including law enforcement and WhatsApp itself. More importantly, WhatsApp communications are never stored on the WhatsApp server. It is no surprise with this type of security built-in to the application it is often the choice communication platform of users with nefarious agendas. Keeping that fact in mind, it is imperative investigators are armed with methods and tools to recover this essential data

Oxygen Forensics offers the most comprehensive WhatsApp data extraction and decryption tools in the market.

WhatsApp From Mobile Devices

End-to-end encryption, as described, only offers security for a “man-in-the-middle attack” or simply live interception.  However, the data on an Apple iOS or Android device is available in a decrypted format. The problems investigators often face in today’s mobile device examinations involving WhatsApp and other apps is often how to overcome a device with a screen lock or device encryption.

When it comes to iOS devices, all WhatsApp data can be extracted in a basic iTunes backup procedure. However, for Android devices, we often recommend a physical extraction method to recover WhatsApp’s evidentiary files. We offer a wide range of physical collection methods that are successful on a large variety of Android devices. Remember, when examining an Android device always check the SD card for a WhatsApp backup.  This file is always encrypted, but we have you covered! You will find information about Oxygen Forensics’ innovative decryption methods below.

WhatsApp data extracted and decrypted from a mobile device.

WhatsApp From Cloud

A WhatsApp user, using an iPhone or Android device, may choose to back up their chats to iCloud or Google Drive. It is important to understand; WhatsApp backups are encrypted by default and to decrypt them a forensic investigator should have access to the SIM card to which this WhatsApp account is assigned. Armed with this SIM and investigator can recover and decrypt this valuable WhatsApp data.  However, there are other methods to decrypt this recovered data using the WhatsApp Cloud token.  This is outlined more in the following paragraphs.

Extracting WhatsApp data from various cloud services there could be additional hurdles like two factor authentication (2FA) or two-step verification.  Our Oxygen Forensic Cloud Extractor documentation contains detailed instructions on how to overcome these additional challenges.

Extraction of this valuable cloud data is extremely important.  This collection may contain data that had been deleted from the device which can easily occur if synchronization is set to each week or each month.

WhatsApp extraction directly from cloud services.


WhatsApp Backup Decryption

The standard WhatsApp backup decryption method used throughout the industry is based on a key file.  With our innovative methods, Oxygen Forensics offers a new decryption method that requires only a phone number! This method is a great alternative to the commonly used key file. Case in point: If you have found an encrypted backup on an Android’s SD card with no access to the Android internal memory where the decryption key is stored simply use our innovative decryption support. Our Oxygen Forensic Cloud Extractor offers you an exclusive opportunity to decrypt this backup by receiving a code to the phone number assigned to the recovered SIM card.

Not only data from the device is recoverable, but Oxygen Forensic Detective can also recover a special WhatsApp Cloud token from physical extractions of Android devices.  This token can be utilized to decrypt WhatsApp backups from Android devices, WhatsApp Google Drive, and WhatsApp iCloud backups associated with the same phone number.

WhatsApp backup decryption and display.

WhatsApp Cloud (Server)

It is known that WhatsApp does not store any communications on its Server that have been delivered.  Messages and unanswered calls that cannot be delivered (e.g., it has no Internet connection, or it is switched off) will be temporally stored on the server. Oxygen Forensic Detective has the unique ability to access this data from the cloud via only the phone number or special WhatsApp Cloud token extracted from Android devices.


If you have a locked mobile device that you cannot acquire try this:  switch it off, wait for a few moments, remove the SIM card and place it into another phone that is unlocked to a carrier. Select WhatsApp Cloud service in our Cloud Extractor, select to receive a code to the SIM card.  Now you will have access to the undelivered messages, unanswered calls and their contacts.

WhatsApp extraction directly from cloud services.

WhatsApp via QR Token from PC

Users can now access and communicate using WhatsApp Desktop and WhatsApp Web Apps from a computer. Our exhaustive research revealed that these apps do not store any databases on the computer being used to communicate. However, with our free Oxygen Forensic KeyScout utility, built into Oxygen Forensic Detective, you can detect a WhatsApp QR token on a computer where WhatsApp was used. This valuable token will allow you to extract complete WhatsApp data in our Cloud Extractor. The only condition is that the WhatsApp owner’s mobile device must have an active Internet connection. If the mobile device is locked, no problem! This WhatsApp QR code method is ideal for data extraction from locked mobile devices. However, if you have an unlocked mobile device but for some reason the extraction continually fails, simply scan the WhatsApp QR code from the device in our Cloud Extractor to acquire all the current WhatsApp data.   

What an INCREDIBLE 2018!

What an incredible year at Oxygen Forensics, Inc. in 2018!  Not only have we continued to gain more customers from around the world, we have brought to the #DFIR community some amazing solutions to today’s digital forensic problems. Oh, we have been busy; however, one thing remains, our customers will always be first!  Our slogan of helping to make this world safer was supported by these incredible innovations of 2018 and our valued customers.  Let’s look at a few we are extremely proud of in all areas of forensics to include mobile, cloud, drone, IoT, and even computer.


LOCKED DEVICE SUPPORT. We added additional supported devices to our innovative screen lock bypass methods by adding the EDL method for Android devices based on selected Qualcomm chipsets. Our cutting-edge method supports a wide range of Qualcomm chipsets and works on 500+ Android devices of 26 manufacturers that include Acer, Alcatel, Asus, Coolpad, Gionee, Huawei, Lenovo, LG, Micromax, Motorola, Nokia, OnePlus, Oppo, Xiaomi, ZTE, etc. We also significantly extended and updated our Spreadtrum physical extraction method by adding support for over 100 new Android devices with 4, 8 and 16 Gb of RAM. Our updated algorithm allows for easy turn-key addition of new Spreadtrum models when requested. And finally, we added the ability to extract available photos, databases and files from a wide range of locked Samsung devices via MTP.

PHYSICAL IMAGE DECRYPTION. It’s all too common with today’s modern Android devices and their encrypted user partition. This problem, which often makes a physical extraction useless, is and will continue to be a hurdle for investigators. This year we added the ability to brute force and decrypt physical extractions of LG devices running Android OS 6.x and 7.x. You can either find the password using the built-in Passware module or enter the known password manually.


We owned 2018 with each new release by introducing industry-first methods of WhatsApp data extraction. Our new WhatsApp QR code method allows investigators to acquire all WhatsApp data using a WhatsApp QR token extracted by our KeyScout utility from a Windows computer. That means you can acquire WhatsApp data without the phone! It gets even better! Oxygen Forensic Detective also offers two more industry-exclusive WhatsApp forensic features – WhatsApp backup decryption via phone number and access to the WhatsApp Cloud Server (implemented in 2017). It must be mentioned – we support 60 unique cloud services; many of them are ONLY supported in our software!


DRONE SUPPORT. In 2018 we added physical extraction of DJI Spark and Mavic Pro drones via rooting which continues to remain an industry unique feature. Now you can gain access to drone flight logs, telemetry, and exclusive metadata using a standard USB cable. An additional unique feature, only found in, Oxygen Forensic® Detective, is the ability to extract valuable user data from from DJI cloud and SkyPixel via tokens extracted from a mobile device.


DIGITAL ASSISTANTS. Digital assistants are already a part of everyday life and have been successfully used to solve several crimes. Oxygen Forensic® Detective brought investigators the power to extract data from Amazon Alexa and Google Home from both a mobile device and their cloud services. Access to these device cloud stores was made simple with a username and password or token. These valuable pieces of information can be found and extracted from both a computer or mobile device. Detective acquires valuable information including account and device details, contacts, messages, calendars, notifications, lists, activities, skills, and more.

HEALTH-TRACKING WEARABLES. Health-tracking wearables and apps can record heart rate, sleep periods, location, and more. Data from these common every-day devices have already assisted law enforcement in several high-profile crimes. Oxygen Forensic® Detective in 2018 gave investigators the ability to extract locations, workouts, health and other valuable data from Fitbit, Google Fit, and Samsung Health both from both mobile devices and cloud services.

We introduced data extraction from smartwatches based on Mediatek chipset. Oxygen Forensic® Detective now performs logical acquisition of MTK smartwatches and allows forensic experts to extract device model, contacts, calls, messages, multimedia files, and other valuable data. We supported over 30 smartwatch models in 2018!


PASSWORDS AND TOKENS. This year we introduced our portable KeyScout utility that armed investigators with a tool to seek and locate tokens and passwords saved in desktop web browsers and other applications, like Internet Explorer, Google Chrome, Mozilla Firefox, Opera, and Mozilla Thunderbird. An added bonus, KeyScout finds credentials in iCloud for Windows, WhatsApp Desktop, Telegram Desktop and Unigram apps and also collects the passwords to Wi-Fi hot spots. The collected credentials can then be imported into Oxygen Forensic® Cloud Extractor for immediate use.


JETENGINE. We closed 2018 with our innovative 64-bit module – Oxygen Forensic® This powerful forensic utility allows investigators to quickly parse volumes of data and leverage advanced analytical tools to quickly pinpoint and quantify evidence. The days of slowly processing large data sets from mobile devices, IoT sources, cloud services, and drones are over! Now you can extract data in Oxygen Forensic® Detective and then import it to Oxygen Forensic® JetEngine for fast data parsing and analysis.


The numbers will always tell a better story! As of 2018 Oxygen Forensic® Detective supports data extraction from 24977 unique device profiles, 453 unique apps, 8806 app versions and 60 cloud services!  We are looking forward to a great 2019 with our continued great customer support, innovative research and development team, fabulous staff, and the best customers in the world.

Oxygen Forensic Detective 10.4 is here! Examine more data from more sources than ever before

The latest version of our flagship software, Oxygen Forensic® Detective is now live and available for download by customers with current licenses.

In addition to added support for dozens of application updates, version 10.4 offers several major new features to enable investigators to extract and examine more data than ever before.

Decrypt WhatsApp Backups

In some cases, you may have a WhatsApp backup file extracted from an SD card or the internal memory of an Android device, but you do not have a key file to decrypt it. Oxygen Forensics now offers a new method to decrypt WhatsApp backups in such cases. All you need to do is import a WhatsApp backup into Oxygen Forensic® Cloud Extractor by clicking “Decrypt WhatsApp backup files” on the startup window. You will be offered two options for backup decryption – using the phone number associated with the backup or a WhatsApp Cloud token extracted from the Android device. Once data is decrypted you can open it in Oxygen Forensic® Detective for detailed analysis and reporting.

Import GrayKey iPhone Images

Oxygen Forensic® Detective 10.4 supports import and parsing of GrayKey images made from Apple iOS including devices ranging from iPhone 5S to iPhone 8 as well as iPhone X, running iOS versions up to 11.4.1. To import a GrayKey image select Import Apple backup/Import GrayKey image from the Import menu on the toolbar. Oxygen Forensic® Detective parses and recovers all available data including contacts, messages, calls, calendars, pictures and files, application data, passwords, geo coordinates, and much more.

Acquire Locked Samsung Devices

Oxygen Forensic® Detective 10.4 enables partial acquisition of locked Samsung devices via MTP. The method is compatible with devices running Android 4.4.x, 5.x, 6.x, 7.x. with the security update no later than October 27, 2017. All you need to do is connect a device via cable in Oxygen Forensic® Extractor and select Search for MTP devices in Automatic connection settings. The software will bypass screen lock and extract pictures and databases that are available via MTP.

Detect Similar Photos with PhotoDNA

We’ve added the ability to identify pictures with similar images using PhotoDNA hash sets. Select Search similar images in the Search menu. The software will automatically find similar images and group them together. This method allows to identify similar images that were, for example, modified or edited and allows forensic experts to find sensitive content within a short period of time.

Extract Wi-Fi Hotspot Connections

We’ve extended the functionality of Oxygen Forensic® KeyScout to support discovery of previously accessed Wi-Fi hotspots and their passwords on the subject’s computer. To collect Wi-Fi hotspots, run KeyScout on a computer. Once they are acquired you will see a Wi-Fi Access Points tab in KeyScout. You can save collected Wi-Fi data to an OCPK file for use in Oxygen Forensic® Cloud Extractor OCPK Viewer.

Examine Bluetooth Connection History

Oxygen Forensic® Detective 10.4 offers extraction of Bluetooth connections from iOS devices. Now you can acquire the information about both paired and nearby devices: MAC address, device name, and last detected time.

Authenticate via Google Prompt

We’ve added the ability to sign in to Google services with 2FA enabled by using Google Prompt. Four authentication types are now available for Google services: SMS, authenticator code, backup code, and Google Prompt.

Extract Qualcomm Devices with Improved EDL

EDL method for Qualcomm devices has been improved in the latest version. Manual selection of EDL bootloader is now available along with automatic bootloader upload. EDL method allows extraction of data from 450+ Qualcomm-based Android devices.