Elcomsoft Explorer for WhatsApp 2.60 adds the ability to decrypt WhatsApp conversations from stand-alone WhatsApp backups made on iPhone devices and retrieved from iCloud Drive. The new decryption method does not require a WhatsApp activation code.
Elcomsoft Explorer for WhatsApp 2.60 is an incremental update, adding the ability to decrypt stand-alone WhatsApp backups downloaded from iCloud Drive without receiving an activation code from WhatsApp. In previous versions, EXWA required access to the user’s verified phone number (SIM card) to obtain the encryption key and decrypt the backup. The new release offers the ability to decrypt downloaded backups by using a copy of the iPhone keychain extracted from a jailbroken device.
The new decryption methods makes use of the encryption key stored on the iPhone in the keychain. While most keychain items are accessible via logical acquisition, WhatsApp targets a higher security class and can be only obtained with iOS Forensic Toolkit 4.0 via physical keychain extraction. A jailbreak is required in order to access the keychain. This key can be used to decrypt the backup in place of the code received from WhatsApp servers.
The new decryption method is optional, and offers tangible benefits over the previously used (and still available) decryption method. The expert will no longer require to obtain the security code from WhatsApp by SMS or phone call, and WhatsApp will remain active on the user’s iPhone. If one does not have access to the user’s SIM card and cannot receive the activation SMS, this could be the only extraction method available. The decryption key extracted from the user’s keychain will work for all past and future WhatsApp backups made on that device.
Release notes: