Whatsapp forensic tool – Whapa is a set of graphical forensic tools to analyze WhatsApp from Android and soon iOS devices. All the tools have been written in Python 3.8 and have been tested on Linux, Windows, and macOS systems.
Whapa is included as a standard in distributions such as Tsurugi Linux (Digital Forensics) and BlackArch Linux (Penetration Testing).
Whapa toolset is divided into five tools:
Android
Whapa (Whatsapp Parser)
Whacipher (Whatsapp Encryption/Decryption) *** NEW Crypt14 ***
Whagodri (Whataspp Google Drive Extractor)
Whamerge (Whatsapp Merger)
Whachat (Whatsapp Chat Exporter)
iPhone
Whacloud (Whatsapp ICloud Extractor) NEW BETA TOOL FOR IPHONE
Whachat (Whatsapp Chat Exporter)
How to install Whatsapp forensic tool
Step 1:
First, we need to download the Whatsapp forensic tool so type the below command on your terminal
For Linux
git clone https://github.com/B16f00t/whapa.git
For Windows
Step 2:
Change the directory to whapa so type the following command on terminal
cd whapa
chmod +x whapa-gui.py
How to use Whatsapp forensic tool
For Linux
Type the following command on your Linux to start the Whatsapp forensic tool
python3 whapa-gui.py
For windows
Click on a whapa-gui.bat file to run the Whatsapp forensic tool on your windows
1. WHAPA
whapa.py is an Android Whatsapp database parser that automates the process and presents the data handled by the SQLite database in a way that is comprehensible to the analyst. If you copy the “wa.db” database into the same directory as the script, the phone number will be displayed along with the name. Whatsapp forensic tool
Reports
To create reports the first thing we need to do is to configure the file”./cfg/settings.cfg”. For example:
[report]
company = Foo S.L
record = 1337
unit = Research group
examiner = B16f00t
notes = Chat maintained between the murderer and the victim
If we want to put the logo of our company, we must replace the file ‘./cfg/logo.png’ with one of our choices. In the file ‘./cfg/settings.cfg’, the name of the company or unit must be specified, as well as the assigned registration number, the unit or group we belong to, who the examiner is and we can also specify notes in the report. Whatsapp forensic tool
To generate the report we must specify the option “English” whether we want the report in English, as well as “ES” whether we want the report in Spanish.
If you specify the “wa.db” database, the phone number will be displayed along with the name. For the report to contains the images, videos, documents… you must copy the “WhatsApp/Media” folder of your phone to the report directory, otherwise, the program will generate thumbnails.
If we want to print the document or create the report in pdf, It recommends in the print option -> scale the view <= 60% or 70%, otherwise, the report will be displayed too large. Whatsapp forensic tool
2. WHACIPHER
Whacipher.py is a tool that allows the decryptor to encrypt the WhatsApp database. You must have the key of your phone to decrypt, and additionally an encrypted database as a reference to encrypt a new database.
3. WHAMERGE
Whamerge is a tool to joins backups in a new database, to be able to be analyzed and obtain more information, such as deleted groups, messages, etc…
4. WHAGODRI
Whagodri.py is a tool that allows WhatsApp users on Android to extract their backed-up WhatsApp data from Google Drive.
Make sure of:
Download the latest version of whapa
Install the requirements
Settings:
Edit only the values of the./cfg/settings.cfg file
[google-auth]
gmail = alias@gmail.com
# Optional. The account password or app password when using 2FA.
password =
# Optional. The result of "adb shell settings get secure android_id".
android_id = 0000000000000000
# Optional. Enter the backup country code + phonenumber be synchronized, otherwise it synchronizes all backups.
# You can specify a list of celnumbr = BackupNumber1, BackupNumber2, ...
celnumbr =
5. WHACLOUD
Whacloud.py is a tool that allows WhatsApp users on iPhone to extract their backed up WhatsApp data from iCloud. BETA TOOL May contain bugs.
Make sure of:
Download the latest version of whapa
Install the requirements
Settings:
Edit only the values of the./cfg/settings.cfg file
[icloud-auth]
icloud = alias@icloud.com
passw = yourpassword
6. WHACHAT
whachat.py is a tool to make an interactive report from WhatsApp’s export chat functionality.
To export chats on an Android phone, here are the steps:
Open the individual or group chat.
Press the Menu button.
Press More.
Select Export chat.
Choose Include or Exclude files.
To export chats on an iOS phone, here are the steps:
Open the individual or group chat.
Press on the name (Chat information).
Slide down.
Select Export chat.
Choose Include or Exclude files.