{
	"id": "eeaa14a0-ceb4-419d-8feb-1a5a4a2349e4",
	"created_at": "2026-04-06T00:11:44.243691Z",
	"updated_at": "2026-04-10T13:11:36.682227Z",
	"deleted_at": null,
	"sha1_hash": "b9e2f6d289d01d6488d69f2973c58aeb5b9c8e8e",
	"title": "Extract and Decrypt WhatsApp Backups from iCloud",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 323462,
	"plain_text": "Extract and Decrypt WhatsApp Backups from iCloud\r\nBy Oleg Afonin\r\nPublished: 2017-07-20 · Archived: 2026-04-05 14:36:00 UTC\r\nFacebook-owned WhatsApp is the most popular instant messaging tool worldwide. Due to its point-to-point\r\nencryption, WhatsApp is an extremely tough target to extract.\r\nAs we already wrote in yesterday’s article, WhatsApp decryption is essential for the law enforcement since due to\r\nits popularity and extremely tough security it is a common choice among the criminals. However, the need for\r\nWhatsApp decryption is not limited to law enforcement. Us mere mortals may need access to our own\r\ncommunications when re-installing WhatsApp, changing devices or extracting conversations occurred on a device\r\nwe no longer possess. Since WhatsApp data is not always available in iOS system backups, using WhatsApp’ own\r\nstand-alone cloud backup system is the more reliable choice compared to pretty much everything else.\r\nElcomsoft Explorer for WhatsApp can now access iPhone users’ encrypted WhatsApp communication histories\r\nstored in Apple iCloud Drive. If you have access to the user’s SIM card with a verified phone number, you can\r\nnow use Elcomsoft Explorer for WhatsApp to circumvent the encryption and gain access to iCloud-stored\r\nencrypted messages. In this article, we’ll tell you how it works, and provide a step-by-step guide to extracting and\r\ndecrypting WhatsApp backups from iCloud Drive.\r\nBackground\r\nIn December 2016, WhatsApp was updated to version 2.16.17. In this build, the company started encrypting its\r\nstand-alone backups stored in iCloud Drive, instantly rendering existing extraction methods ineffective. Before the\r\nchange, Elcomsoft Explorer for WhatsApp could be used to successfully access WhatsApp chat archives by\r\nlogging in to the user’s iCloud account using their valid authentication credential (a combination of login and\r\npassword or binary authentication token extracted from the user’s computer). WhatsApp encryption dropped a\r\nsignificant roadblock, effectively preventing this practice and only allowing WhatsApp extraction from iOS\r\nsystem backups (local and iCloud-based).\r\nHow It Works\r\nSince last year, both manual and daily stand-alone backups stored by WhatsApp in iCloud Drive are automatically\r\nencrypted. The encryption key, generated by WhatsApp when the user makes a backup for the first time, is unique\r\nper each combination of Apple ID and phone number. Different encryption keys are generated for different phone\r\nnumbers registered on the same Apple ID. These encryption keys are generated and stored server-side by\r\nWhatsApp itself; they are never stored in iCloud, and they cannot be extracted from the device.\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 1 of 8\n\nElcomsoft Explorer for WhatsApp 2.10 gains the ability to generate encryption keys for WhatsApp’s iCloud\r\nbackups, successfully bypassing encryption and gaining access to WhatsApp conversation history and underlying\r\nmessages. In order to generate the encryption key, experts must be able to receive a WhatsApp verification code\r\nsent to the phone number for which a given backup was created. In addition, the user’s Apple ID and password (or\r\nbinary authentication token) are required to gain access to the backup itself.\r\nBy using the associated phone number and iCloud authentication credentials, Elcomsoft Explorer for WhatsApp\r\ninitiates the process of registering itself as a new “device” with WhatsApp. After passing the verification process,\r\nthe tool can request the encryption from WhatsApp and use that key for decrypting the backup.\r\nPermanent decryption key: The decryption key received by Elcomsoft Explorer for WhatsApp is permanent and\r\ndoes not change even if the user changes their Apple ID password. The decryption key remains valid even after re-authenticating WhatsApp with the same phone number and Apple ID. The same key can be used to decrypt older\r\nbackups created before the key was retrieved.\r\nNote: since WhatsApp is restricted to only running on a single device, the user’s iPhone will no longer be able to\r\nsend or receive WhatsApp messages after transferring WhatsApp registration to Elcomsoft Explorer for\r\nWhatsApp unless the user re-registers it again.\r\nElcomsoft Explorer for WhatsApp employs a smart workaround for processing WhatsApp extraction from iCloud.\r\nThis is how it works.\r\nIn order to generate an encryption key, do the following.\r\n1. Launch Elcomsoft Explorer for WhatsApp\r\n2. In Elcomsoft Explorer for WhatsApp, observe the two green icons “iOS” and “Android” located in the\r\nbottom left part of the main window. Click on the iOS icon. (Refer to online manual)\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 2 of 8\n\n3. Click on the green iOS icon again. Select “Download files from iCloud Drive” from the menu. Note: you\r\nwill not have to repeat the authentication process as Elcomsoft Explorer for WhatsApp will use cached\r\ncredentials from the previous steps.\r\n– Download files from iCloud Drive\r\n– Download iCloud backup\r\n– Load iTunes/iCloud backup\r\n4. If the Apple ID account has two-factor authentication, you will be prompted for a code\r\n5. Enter the 2FA code\r\n6. The downloading process begins. If the Apple ID account has data for multiple devices and/or multiple\r\nbackups, the process may take a while\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 3 of 8\n\n7. Once the download completes, you will see a message that warns that the data is encrypted.\r\n8. You can use the Decrypt option to instantly decrypt data. Alternatively, you may click Open to have data\r\nloaded into the viewer. At this time, you can only access media files; text conversations are still encrypted.\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 4 of 8\n\n9. If you attempt to access encrypted data, you will be prompted for a code.\r\n10. Click Send to request a code. The code will be delivered to the phone number. Enter the code into the\r\n“Verification code” box.\r\n11. Once the correct code is entered, the data is instantly decrypted. If you have other encrypted data, click on\r\nthe lock sign to instantly decrypt. Newly downloaded data will be decrypted automatically.\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 5 of 8\n\nAttachments: Still No Encryption\r\nUntil last week, WhatsApp users could only exchange pictures, videos and PDF files. The recent update removed\r\nthat limitation, now allowing users exchanging all types of files. Interestingly, WhatsApp does not encrypt\r\nattachments once they are received and backed up. Once Elcomsoft Explorer for WhatsApp obtains a backup, it\r\nalso receives all attachments. Unlike messages, attachments are stored unencrypted, and can be accessed even if\r\nyou don’t have access to the registered phone number.\r\nElcomsoft Explorer for WhatsApp saves attachments to a single archive (the way they are kept in the cloud):\r\n%AppData%\\Elcomsoft\\Elcomsoft eXplorer for\r\nWhatsApp\\Backups\\N\\57T9237FN3~net~whatsapp~WhatsApp\\WhatsApp\\Accounts\\xxxxxx\\backup\\document.tar\r\nIn the path above, “N” represents the EXWA-assigned backup number, while “xxxxxx” would be the registered\r\nphone number.\r\nWhatsApp Extraction: What’s Supported and What Is Not\r\nAt this time, WhatsApp acquisition is possible via a number of different methods.\r\nOS Source Encryption Extraction Method\r\niOS\r\niCloud Drive (before WhatsApp\r\n2.16.17)\r\nNo iCloud Drive download\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 6 of 8\n\nOS Source Encryption Extraction Method\r\niOS\r\niCloud Drive (WhatsApp\r\n2.16.17 and newer)\r\nYes, AES\r\n256\r\n1. iCloud Drive download\r\n2. phone number verification\r\n3. extraction of WhatsApp encryption\r\nkey\r\niOS iTunes backups No Local backup analysis\r\niOS iCloud backups No iCloud backup download\r\nAndroid ADB backups\r\nAndroid Google Drive backups Yes\r\nAndroid SD card backups Yes\r\nAndroid Extraction from a rooted device No\r\nLow-level extraction of the original database\r\nusing root access\r\nAndroid\r\nExtraction from devices without\r\nroot access\r\nNo\r\nDowngrading WhatsApp\r\nCreating a WhatsApp backup\r\nNote: WhatsApp only encrypts text messages and calls. Media files (photos, videos, attachments and voice\r\nmessages) are never encrypted.\r\nConclusion\r\nDespite the discovered workaround allowing experts to decrypt WhatsApp conversations, WhatsApp remains one\r\nof the most reliable instant messaging services. Based on Whisper Systems communication protocols, its traffic\r\ncannot be decrypted even if someone manages to intercept it.\r\nCloud backups remain one of the few vectors of attack allowing to remotely access WhatsApp communication\r\nhistory. If you have cloud backups enabled in WhatsApp and your iPhone is suddenly de-registered from your\r\nWhatsApp account, watch out as someone could have accessed your data. As always, we recommend activating\r\ntwo-factor authentication to protect your Apple ID.\r\nREFERENCES:\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 7 of 8\n\nElcomsoft Explorer for WhatsApp\r\nElcomsoft Explorer for WhatsApp is a tool to download, decrypt and display WhatsApp communication histories.\r\nThe tool automatically acquires WhatsApp databases from one or multiple sources, processes information and\r\ndisplays contacts, messages, call history and pictures sent and received. The built-in viewer offers convenient\r\nsearching and filtering, and allows viewing multiple WhatsApp databases extracted from various sources.\r\nElcomsoft Explorer for WhatsApp official web page \u0026 downloads »\r\nSource: https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nhttps://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/"
	],
	"report_names": [
		"extract-and-decrypt-whatsapp-backups-from-icloud"
	],
	"threat_actors": [],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9e2f6d289d01d6488d69f2973c58aeb5b9c8e8e.pdf",
		"text": "https://archive.orkl.eu/b9e2f6d289d01d6488d69f2973c58aeb5b9c8e8e.txt",
		"img": "https://archive.orkl.eu/b9e2f6d289d01d6488d69f2973c58aeb5b9c8e8e.jpg"
	}
}