The software which I will introduce in this post, called WhatsDump, is a multi-platform tool that can be run by command line and is able to forensically acquire the cipher key needed to decrypt WhatsApp‘s msgstore.db.crypt*.
You might be familiar with the well-known WhatsApp-Key-DB-Extractor which basically does the same thing but does not support Android Nougat and above devices. This is because it exploits a procedure called APK Downgrade in which the WhatsApp application is temporary replaced by an older version so that the private key can be extracted; the original version is then re-installed to avoid significantly altering the evidences on the examined device.
The problem of this approach is that APK Downgrade procedure fails on Android devices that run on a recent (>= Nougat) version of the operating system. In fact, if you try to run the above-mentioned tool on an Android 8.0 device you’ll get the following error code: INSTALL_FAILED_VERSION_DOWNGRADE. This is due to a security update of the operating system committed on 24-02-2016 and released on Android Nougat (you can find the details of this commit here).
WhatsDump‘s approach is different: it exploits the way WhatsApp generates the private key. In fact, cipher key is linked to the mobile phone number which is used to initially register to WhatsApp service. If we register using the same number and trick the application in thinking that we have a local backup, we would both decrypt the database and get the decryption key.
The software spawns an Android emulator (in which we can execute commands as root) and interacts with it programmatically to (1) register the phone number, (2) verify the code and (3) extract the cipher key.
You can find more informations on the features and usage of the tool on the GitHub Repository. This tool is a POC and not complete so it might not be stable and might have bugs; you’re free to submit PR to improve it.