WhatsApp is one of the world’s most popular instant messengers. It has client apps on all popular platforms, serving as an effective replacement for text and multimedia messaging and enabling true cross-platform communications on the go.


WhatsApp is more secure than SMS. Unlike carrier-delivered text messages and MMS, WhatsApp communications cannot be intercepted or requested from the provider. Unlike Apple iMessages, WhatsApp is not tied to a single platform, serving as a perfect iMessage replacement for Android-iOS communications. WhatsApp communication history is not reflected in the mobile service bill, and WhatsApp messages are not stored on carrier’s computers in case law enforcement officials need access to that information. WhatsApp messages fly directly between users’ devices, securely encrypted. Strict point-to-point messaging makes it impossible to intercept WhatsApp communications. Even breaking in to WhatsApp won’t help hackers steal someone’s communication history.


Due to its popularity, WhatsApp quickly became a target for spammers, hoaxers and plain criminals of all kinds. The very fact that the messenger app is designed to use secure end-to-end communications makes it difficult for the police to investigate cases involving WhatsApp messaging. Since no logs are stored on carrier’s side, requesting WhatsApp history files from the mobile carrier or an Internet service provider is not possible. The only way to acquire WhatsApp histories is imaging end-user devices or pulling data from local or cloud backups. And that’s exactly what we do in Elcomsoft Explorer for WhatsApp.


Pulling WhatsApp Backups from the Cloud


We made Elcomsoft Explorer for WhatsApp to help legitimate WhatsApp users and mobile forensic experts access communication histories stored in the cloud or available in local iTunes backups. We included certain functionality from our dedicated mobile forensic tool, Elcomsoft Phone Breaker. With Elcomsoft Explorer for WhatsApp, you can extract WhatsApp histories from the following sources:


Local iTunes backups. If you have an offline iOS backup file sitting on your computer, or if you can make the phone produce a backup via iTunes, Elcomsoft Explorer for WhatsApp can extract WhatsApp communication history from that backup. Encrypted backups can be automatically decrypted if you know the password.


Apple iCloud. If the option to make iCloud backups is activated on an iPhone, Elcomsoft Explorer for WhatsApp can connect to the user’s iCloud account and pull WhatsApp histories from iOS system backups. You won’t have to download the entire system backup, as EXWA will use selective access to only pull WhatsApp data. Apple ID and password are required. You can also use a binary authentication token.


iCloud Drive. Even if iCloud backups are not enabled, WhatsApp can be configured to back up its database into the cloud. In this case, WhatsApp will produce a standalone backup in a proprietary format. Elcomsoft Explorer for WhatsApp can download and parse that backup from iCloud Drive.


Since WhatsApp instances are unique per telephone number, a single Apple account may contain multiple WhatsApp backups, each for its own telephone number. Elcomsoft Explorer for WhatsApp will list and allow downloading all of them.


Yes, 2FA Too


Since the version 2.70, Elcomsoft Explorer for WhatsApp supports iCloud accounts with two-factor authentication. Its older versions only supported one-time codes that were pushed to the device by the server. Now the tool can pass 2FA checks by using one-time codes delivered as a text message to the user’s SIM card as well as offline codes generated on the device from the Settings app. So you will only have to pass Two-Factor Authentication checks once per account.


A Word on Binary Authentication Tokens


Just like Elcomsoft Phone Breaker, Elcomsoft Explorer for WhatsApp can connect to iCloud with either the user’s Apple ID and password or by using a binary authentication token extracted from the user’s computer. However, we didn’t include the tools to pull the token file from the computer. If you need a tool to obtain the token, please install Elcomsoft Phone Breaker and use token extraction tool bundled with that product. No worries, you won’t have to pay to use that tool as it’s available in the free evaluation version of Elcomsoft Phone Breaker.


Viewing WhatsApp Databases


Elcomsoft Explorer for WhatsApp comes with a built-in viewer that allows you to browse through multiple WhatsApp databases you’ve extracted. The viewer comes with instant searching and filtering, allowing you to locate contacts, messages and pictures of interest of filtering conversations matching a certain criteria – such as containing a certain key word or falling within a certain date range.


Visit https://www.elcomsoft.com/exwa.html to find more about Elcomsoft Explorer for WhatsApp and download your free trial!