Elcomsoft Explorer for WhatsApp (EXWA) is a
Windows tool to acquire, decrypt and display WhatsApp communication
histories. The tool offers multiple acquisition options to extract
and decrypt WhatsApp data from multiple local and cloud sources
including Android smartphones, iOS system backups (iTunes and
iCloud), and WhatsApp proprietary cloud backups in Google Drive and
The tool supports both rooted and non-rooted Android phones. Encrypted backups can be automatically decrypted providing that the correct password is supplied. Downloading cloud backups from Apple iCloud and iCloud Drive requires entering the user’s Apple ID and password or using a binary authentication token extracted from the user’s computer, while Google Drive downloads require a login and a password. Two-factor authentication is supported for both Apple and Google accounts.
The built-in viewer offers convenient view of messages, calls and pictures stored in multiple WhatsApp databases obtained from the different sources. Instant filtering and ultra-fast searching allow finding records of interest in a matter of seconds.
Elcomsoft Explorer for WhatsApp supports all of the following acquisition methods of WhatsApp databases:
Direct extraction from Android smartphones
Rooted (Android 4.0-9.0) and non-rooted (Android 4.0-6.0.1) devices are supported. Phone must be unlocked for acquisition.
Over-the-air acquisition of WhatsApp proprietary backups stored in Google Drive
WhatsApp backups can be pulled from the user’s Google Account and decrypted. Access to registered phone number or SIM card is required. Google ID and password required.
Extraction from local iTunes backups
Encrypted backups are automatically decrypted. The correct password is required to decrypt the backup.
Over-the-air acquisition from iOS backups stored in Apple iCloud
WhatsApp databases are automatically retrieved from iOS backups stored in Apple iCloud. Fast acquisition is made possible by selectively downloading WhatsApp information instead of pulling the entire backup from the cloud. Apple ID and password or binary authentication token required.
Over-the-air acquisition of WhatsApp proprietary backups stored in iCloud Drive
Proprietary WhatsApp backups can be pulled from the user’s iCloud Drive account and decrypted. Access to registered phone number or SIM card is required. Apple ID and password or binary authentication token required.
WhatsApp Acquisition: Not an Easy Target
WhatsApp Messenger is one of the most popular instant messaging tools, if not the most popular one. WhatsApp clients are available for all mobile platforms including Android, Apple iOS, Blackberry, and Microsoft Windows Phone 8.x and Windows 10 Mobile.
WhatsApp is a popular target for spammers, hoaxers and cyber criminals. On at least one occasion, intercepted WhatsApp communications helped uncover a terrorist organization.
Since WhatsApp employs secure end-to-end messaging, it is not possible for law enforcement to request communication histories from Facebook who currently owns WhatsApp. As a result, acquisition is only possible from end-user devices or data backups produced by such devices and saved either locally or stored in a cloud.