One of my friend came to me with an Android phone. She saild somehting wrong with the hardware of her friend‘s phone, and her friend are eager to backup his data,especially WeChat chat messages..unfortunatelly her friend forgot the accoutn/password to logon WeChat....What can I say..she is one of my best firend..I should do her a favor...
I took a look at this phone, and I found it "Rooted" already. That is a good news~ Some people root his/her phone in order to gain full access,but..guest what..There is an old saying:"Water is a boon in ther desert, but the drowning man cursed it". Rooted phones are easier to do physical extraction because Root privilege has been realeased. Those who try to operate full function of smartphones by Rooting his/her Android phone actually make smartphones more insecure..but to forensic guys, couldn‘t be better...
First I interviewed her to gather some basic info about the case. The scenario was that the version of WeChat is 6.0.1, but she had no WeChat account/password to logon to...That‘s all what I know about this case, and now I‘d like to explain what I‘m going to do.
1.Locate the WeChat EnMicromsg.db and export it to the forensics workstation you use.
2.Take a look at EnMicromsg.db..It‘s an encrypted database..we could not see what is inside..so we have to decrypt it...
3.Let me explian the encryption algorithm of WeChat EnMicromsg.db. The pragma key is the first 7 character of MD5(IMEI+WeChat UIN). That is it,very easy to calculate it. first figure out the IMEI,you have to options:
a. Dial *#06#
b. Take off back cover and battery and you could see some info including IMEI
4.Find out the WeChat UIN. UIN is the unique id# of WeChat account. The UIN is inside the file system_config_prfs.xml
5.Get the UIN value
6.Input the IMEI and UIN string,be carefully there is no need to add any symbol between these two string...Generate the MD5 value.. the key is the first 7 character as below: 9C751DC
7.Now the most import step. You need a tool - SQLCipher to decrypte the EnMicromsg.db with the pragma key we found. Since the SQLCipher is opensource, you could find some resource by searching the Gurdian Project on the internet. I show you the Windwos solution first. Notice that the version is 2.1
8. Use SQLCipher 2.1 to open EnMicromsg.db and input the pragam key
9.You could see the chat messages now...
10.You also could export those chat messages so you don‘t have to open database more often.
Finally, I encrypted the WeChat Enmicromsg.db for her. She‘s very happy with that. Couple days later I realized that it‘s her boy friend‘s smartphone...What a tradegy, I did not do it on purpose...Sorry buddy..Hope you will be alright this time...I think she will kill you if she found some ambigious chat messages in you phone..God bless you...