Thanks to visit codestin.com
Credit goes to github.com

Skip to content

kraftdenker/ZAPiXDESK

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
binaries
binaries
 
 
BouncyCastle.Cryptography.dll
BouncyCastle.Cryptography.dll
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ZAPiXDESK.ps1
ZAPiXDESK.ps1
 
 

Repository files navigation

Attention

Since 9th December 2025, Meta changed WhatsApp Desktop platform from UWP (Universal Windows Platform) to WebView2 (Windows Services + Browser Services). Soon, new reverse efforts will be launched aimed to forensically extract WhatsApp data.

ZAPiXDESK

WhatsApp Desktop Live Forensiscs - Decryption and Extraction Technique

______  ___  ______ ___   _______ _____ _____ _   __
|___  / / _ \ | ___ (_) \ / /  _  \  ___/  ___| | / /
   / / / /_\ \| |_/ /_ \ V /| | | | |__ \ ---.| |/ /
  / /  |  _  ||  __/| |/   \| | | |  __| ---. \    \  
./ /___| | | || |   | / /^\ \ |/ /| |___/\__/ / |\  \
\_____/\_| |_/\_|   |_\/   \/___/ \____/\____/\_| \_/
                                       ZAPiXDESK

Copyrights: 2025 Alberto Magno [email protected] LICENSE GNU General Public License v3.0

Description:

A script that extracts DBKey and decrypts all SQLITE3 database files (including db and write-ahead-logfiles ). On completion a ZIP file containing all WhatsApp decrypted LocalState db's and a MD5 is calculated. Some information also in: https://medium.com/@alberto.magno/whatsapp-desktop-and-web-live-forensics-4n6-233f640e9fb3

Technique based on reverse-engineering-fu (yes! you do not need to use SQLite3 SEE to decrypt) and some info contained in following paper: Giyoon Kim, Uk Hur, Soojin Kang, Jongsung Kim,Analyzing the Web and UWP versions of WhatsApp for digital forensics, Forensic Science International: Digital Investigation,Volume 52,2025,301861,ISSN 2666-2817, https://doi.org/10.1016/j.fsidi.2024.301861. (https://www.sciencedirect.com/science/article/pii/S2666281724001884)

Operation:

  • First, it obtains the OfflineDeviceUniqueID, indicating the method used (TPM, REGISTRY, etc...), used in keys derivation linked to the machine.
  • The tool copies the WhatsApp localstate files (where SQLite3 DB files are located) to operate them
  • It generates the userKey to generate the dbKey for decrypting the files.
  • DbKey is used to decrypt DB and WAL files.
  • All decrypted files and the other content of LocalState are zipped.
  • MD5 HASH file is generates for chain-of-custody purposes.

This script uses Bouncy Castle (BC) for C# .NET (MIT License). https://www.bouncycastle.org/ OBS: this version needs that target machine be on to have access to the unique device id. Its not possible to decrypt without this ID.

You can just collect this ID and LocalState contents to decrypt on another machine.

Usage:

FIRST OF ALL!

  • It is necessary to unblock BouncyCastle.Cryptography.dll in Windows. BouncyCastle.Cryptography.dll must be in the same directory of the ZAPiXDESK.ps1 file.

  • It may also be necessary to enable set the execution policy to Unrestricted or Bypass in PowerShell to execute the script. This can be done with the following command in PS console:

    Set-ExecutionPolicy Unrestricted or Set-ExecutionPolicy Bypass

  • Open PowerShell on target computer (it will attempt to claim administrative rights). run script:

    .\ZAPiXDESK.ps1 with selected arguments. If no arguments are supplied, defaults will be used.

This script will take the following arguments:

-WhatsAppPath
  • This should be the full file path to the location of the WhatsApp LocalState directory. If not provided, it will be derived from the running machine's installation of WhatsApp.
-OutputPath
  • Allows you to select the OutputPath. If not chosen, it will output into the directory from where the script is executed.
-Offline
  • This will allow you to run the script offline against an extracted WhatsApp directory, provided you have the ODUID. To get this, you can either:
    • Run the script simply with the -GetID flag
    • Use the binary in the binaries folder to run on the live system containing the desired WhatsApp installation;
    • Check the registry of the running system at HKLM\SYSTEM\CurrentControlSet\Services\TPM\ODUID for a value named RandomSeed. Using this, you can convert the value "cv1g1gv" to UTF-16 bytes, then make sure the RandomSeed is in bytes, concatenate the "cvgv1gv" bytes and RandomSeed bytes, then get the byte value of performing a SHA256 of those bytes.; or
    • Reboot the computer and boot into UEFI shell, and run the command dmpstore -b OfflineUniqueIDRandomSeed and perform the same byte conversion, concat and SHA256 as in the previous step
-ID
  • When using Offline mode, provide the OfflineDeviceUniqueID (ODUID) value as a standard hex string to be used to decrypt database contents on a system other than the original live system
-GetID
  • This will get only the ODUID as a hex string for use in offline decryption.

Have a nice 4N6!

About

WhatsApp Desktop Live Forensics - Decryption&Extraction Technique

medium.com/@alberto.magno/whatsapp-desktop-and-web-live-forensics-4n6-233f640e9fb3

Topics

cryptography desktop forensics whatsapp

Resources

Readme

License

GPL-3.0 license
Activity

Stars

43 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages