Updated: May 2018
WhatsApp Messenger Version 2.18.142
Whapa is a toolset to analyze whatsapp app for android. All tools are written in Python 2.X. Whapa toolset is divided in three tools:
- Whapa (Whatsapp Parser)
- Whademe (Whatsapp Decrypter and Merger)
- Whagodri (Whataspp Google Drive Extractor)
https://github.com/B16f00t/whapa/blob/master/doc/CHANGELOG.md
You can download the latest version of whapa by cloning the GitHub repository:
git clone https://github.com/B16f00t/whapa.git
then:
pip install -r ./doc/requirements.txt
whapa.py is an android whatsapp database parser which automates the process and presents the data handled by the Sqlite database in a way that is comprehensible to the analyst. The software is divided into four modes:
- Message Mode : Analyzes all messages in the database, applying different filters. It extracts thumbnails when they're availables. "./Media" is the directory where thumbnails are being written. The rows are sorted by timestamp not by id.
- Decryption Mode: Decryptes the crypto12 databases as long as it has the key.
- Info Mode : Displays different information about statuses, broadcasts list and groups.
- Extract Mode : Extracts all thumbnails from the database
If you copy the "wa.db" database into the same directory as the script, the phone number will be displayed along with the name.
Please note that this project is an early stage. As such, you could find errors. Use it at your own risk!
__ __.__ __________
/ \ / \ |__ _____ \______ \_____
\ \/\/ / | \\__ \ | ___/\__ \
\ /| Y \/ __ \| | / __ \_
\__/\ / |___| (____ /____| (____ /
\/ \/ \/ \/
---------- Whatsapp Parser v0.5 -----------
usage: whapa.py [-h] [-k KEY | -i | -m | -e] [--update]
[-u USER | -ua USER_ALL | -g GROUP | -a] [-t TEXT] [-w] [-s]
[-b] [-ts TIME_START] [-te TIME_END] [-r [{EN,ES}]]
[-tt | -ti | -ta | -tv | -tc | -tl | -tx | -tp | -tg | -td | -tr]
[DATABASE]
To start choose a database and a mode with options
positional arguments:
DATABASE Database file path - './msgstore.db' by default
optional arguments:
-h, --help show this help message and exit
-k KEY, --key KEY *** Decrypt Mode *** - key file path
-i, --info *** Info Mode ***
-m, --messages *** Message Mode ***
-e, --extract *** Extract Mode ***
--update Update Whatsapp Parser Tool
-u USER, --user USER Show chat with a phone number, ej. 34123456789
-ua USER_ALL, --user_all USER_ALL
Show messages made by a phone number
-g GROUP, --group GROUP
Show chat with a group number, ej. 34123456-14508@g.us
-a, --all Show all chat messages classified by phone number,
group number and broadcast list
-t TEXT, --text TEXT Show messages by text match
-w, --web Show messages made by Whatsapp Web
-s, --starred Show messages starred by owner
-b, --broadcast Show messages send by broadcast
-ts TIME_START, --time_start TIME_START
Show messages by start time (dd-mm-yyyy HH:MM)
-te TIME_END, --time_end TIME_END
Show messages by end time (dd-mm-yyyy HH:MM)
-r [{EN,ES}], --report [{EN,ES}]
Make an html report in 'EN' English or 'ES' Spanish.
If specified together with flag -a, makes a report for
each chat
-tt, --type_text Show text messages
-ti, --type_image Show image messages
-ta, --type_audio Show audio messages
-tv, --type_video Show video messages
-tc, --type_contact Show contact messages
-tl, --type_location Show location messages
-tx, --type_call Show audio/video call messages
-tp, --type_application
Show application messages
-tg, --type_gif Show GIF messages
-td, --type_deleted Show deleted object messages
-tr, --type_share Show Real time location messages
-
Message mode:
python whapa.py -mShow all messages from the database.
python whapa.py -m -tS "12-12-2017 12:00" -tE "13-12-2017 12:00"Show all messages from 12-12-2017 12:00 to 13-12-2017 12:00.
python whapa.py -m -w -tIShow all images send by Whatsapp Web.
python whapa.py -m -g 34XXXXXXXXX-1345475288@g.usShow all messages send by that group.
python whapa.py -m -a -r ENShow all chats of the phone and makes English reports.
-
Decrypt mode:
python whapa.py msgstore.db.crypt12 -k keyDecrypt msgstore.dbcrypt12, creating msgstore.db
-
Info mode:
python whapa.py -iShow a stage with options about groups, broadcast lists and statuses.
-
Extract mode:
python whapa.py -e -ts "01-01-2018 00:00"Extract all thumbnails from '01-01-2018 00:00' so far.
To create reports the first thing we need to do is to configure the file"./cfg/settings.cfg". For example:
[report]
logo =./cfg/logo.png
company = Foo S.L
record = 1337
unit = Research group
examiner = B16f00t
notes = Chat maintained between the murderer and the victim
Here we must put our company logo, company or unit name, as well as the assigned registration number, unit or group where we belong, who is the examiner and we can also specify notes on the report.
To generate the report we must specify the flag "-r" or "-r EN" if we want the report in English, as well as "-r ES" if we want the report in Spanish.
Usage example: python -m -r -u 34XXX230775 (Creates a report of the conversation with the user 34XXX230775)
Note that to create a report that makes sense to the reader you must always specify a user with the flag "-u" or a group with the flag "-g". (To know the group number we want to use in our report we can first use the command "python whapa.py -i" and then copy and paste it into the command "python -m -r -g PASTE-HERE-GROUPNUMBER@g.us"), or the flag "-a", which creates a report of all conversations held (slow option).
If you copy the "wa.db" database into the same directory as the script, the phone number will be displayed along with the name.
For the report to contains the images, videos, documents... you must copy the "WhatsApp/Media" folder of your phone to the whapa directory.
If we want to print the document or create the report in pdf, I recommend in the print option -> scale the view <= 70%, otherwise the report will be displayed too large.
whademe is a tool to decrypt directories containing backups and join them in a new database, to be able to be analyzed and obtain more information, such as deleted groups, messages, etc...
__ __.__ ________ _____
/ \ / \ |__ _____ \______ \ ____ / \ ____
\ \/\/ / | \\__ \ | | \_/ __ \ / \ / \_/ __ \
\ /| Y \/ __ \_| ` \ ___// Y \ ___/
\__/\ / |___| (____ /_______ /\___ >____|__ /\___ >
\/ \/ \/ \/ \/ \/ \/
------------ Whatsapp Decrypter and Merger v0.1 ------------
usage: whademe.py [-h] [-k KEY] [-m] [PATH]
Choose a files path to decrypt and/or merge
positional arguments:
PATH Database path - './' by default
optional arguments:
-h, --help show this help message and exit
-k KEY, --key KEY Whatsapp Key path (Decrypt database)
-m, --merge Merge database
whagodri.py is a tool which allows WhatsApp users on Android to extract their backed up WhatsApp data from Google Drive.
__ __.__ ________ ________ .__
/ \ / \ |__ _____ / _____/ ____\______ \_______|__|
\ \/\/ / | \\__ \ / \ ___ / _ \| | \_ __ \ |
\ /| Y \/ __ \\ \_\ ( <_> ) ` \ | \/ |
\__/\ / |___| (____ /\______ /\____/_______ /__| |__|
\/ \/ \/ \/ \/
------------ Whatsapp Google Drive Extractor v0.1 ------------
usage: whagodri.py [-h] [-i | -l | -lw | -p FilePath BackupID | -s] [-f]
Extract your Whatsapp files from Google Drive
optional arguments:
-h, --help show this help message and exit
-i, --info Show information about Whatsapp backups
-l, --list List all available files
-lw, --list_whatsapp List Whatsapp backups
-p FilePath BackupID, --pull FilePath BackupID
Pull a file from Google Drive
-s, --sync Sync all files locally
-f, --flush Flush log file to sync from the beginning
Acknowledgements, suggestions, languages, improvements...
https:/t.me/B16f00t
The developer is not responsible, and expressly disclaims all liability for damages of any kind arising from the use, reference or reliance on the software. The information provided by the software is not guaranteed to be correct, complete and up-to-date.