WhatsApp is one of the most widely used mobile messaging applications globally, with over 2 billion users across 180 countries. It protects user communications with end-to-end encryption to prevent third parties from reading them, and offers convenient features that allow users to automatically backup their data regularly or store end-to-end encrypted backups.
In particular, WhatsApp’s chat backup feature can be used to collect chat data when the app data area is inaccessible on a mobile device. The backup files generated via this chat backup feature are stored in the media area, making them easier to obtain. These files may also contain deleted records by the user, which can serve as crucial evidence in investigations.
This article aims to explain WhatsApp’s built-in backup features, compare the original DB and backup DB, and highlight the available information in the backup file. It is based on data extracted from WhatsApp v2.25.12.74 for Android.
WhatsApp Backup Feature
WhatsApp provides two different methods for backup: the Automatic Backup feature, which generates a chat backup at a specified interval, and the End-to-End Encrypted Backup feature, which applies end-to-end encryption when generating a chat backup.
Automatic Backup
You can select the time interval for backup: daily, weekly, monthly, or only when you tap ‘Automatic backups’ to initiate backup.
- Select the three-dot menu icon and go to ‘Settings’ > ‘Chats’.
- Select ‘Automatic backups’ and choose the backup interval.
End-to-End Encrypted Backup
You can create an end-to-end encrypted chat backup.
- Select three-dot menu icon and go to ‘Settings’ > ‘Chats’.
- Go to ‘Chat backup’ > ‘End-to-end encrypted backup’ and tap [Turn on].
- Tap [Use 64-digit encryption key instead] > [Generate your 64-digit key]. Make sure to save the key securely. Then, tap [Continue].
- Select [I Saved My 64-digit Key] > [Create] to start the backup process. Wait until the ‘Backing up messages’ progress message disappears.
WhatsApp Chat DB Comparison: Original VS Backup
Backup File and Decryption Key Save Location
WhatsApp stores its backup DB in different formats depending on the selected backup method.
• When using the ‘Automatic backup’ feature, the chat DB are encrypted in .crypt14 format and stored in the media area.
• When using the ‘End-to-end encrypted backup’ feature, the chat DB are encrypted in .crypt15 format and stored in the media area.
• If a user has used WhatsApp multi-account, separate backup files can be created for each account, and a backup DB is generated per each account.
The table below summarizes the information above:
| Target | Prerequisite | DB Save Location (Based on Android 11) | Decryption Key Save Location |
|---|---|---|---|
msgstore.db |
Chatroom DB saved by default | /data/com.whatsapp/databases |
– |
msgstore.db.crypt14 |
Generated upon automatic backup | /media/0/Android/media/com.whatsapp/WhatsApp/Databases/ |
/data/com.whatsapp/files/key |
msgstore.db.crypt15 |
Generated upon end-to-end encrypted backup | /media/0/Android/media/com.whatsapp/WhatsApp/Databases/ |
/data/com.whatsapp/files/encrypted_backup.key |
*when multi-account is in use:/media/0/Android/media/com.whatsapp/WhatsApp/accounts/[number]/Databases/msgstore.db.crypt15• [number] can be incremented sequentially from 1001. |
*when multi-account is in use:/data/com.whatsapp/accounts/[number]/files/encrypted_backup.key |
When a new account is created following multi-account deregistration, the folder name under the ‘account’ folder increases sequentially by 1.
WhatsApp Multiple Account Feature
When two accounts are registered on the same Android device, you can switch between accounts to use them. Since each account requires verification with a different phone number, this feature is only available on devices with dual SIM support or with a separate phone number. To learn more about the multi-account feature, please refer to the Appendix or WhatsApp official website.
Available Information
You can find the following information in both original DB (msgstore.db) and the backup DB (msgstore.db.crypt15):
• Active records in chatroom
• Deleted records in chatroom (In backup files, some deleted record may not be available.)
The original DB and backup DB have the same structure, with similar retention period and available information. Both active records and deleted records from the original DB can be found in the backup files. However, some deleted records may not be available for analysis as they are automatically cleaned up by the system during the backup process.
| Target | Available Information | Backup storage period | End-to-End Encryption |
|---|---|---|---|
| msgstore.db | Chatroom and message data | Same | – |
| msgstore.db.crypt15 | Active and deleted records in msgstore.db (Some deleted records may not be found.) | O |
Summary
- WhatsApp backup DB files are stored in the media area, so you can utilize the backup feature to extract WhatsApp data alongside the Full Filesystem and ADB extraction methods.
- The ‘End-to-end encrypted backup’ feature generates a backup DB encrypted in
.crypt15format. You can use the 64 keys generated during the backup process to decrypt these files. - You can analyze active and deleted records of the original DB (
msgstore.db) in the end-to-end encrypted backup (msgstore.db.crypt15). However, some deleted records may not be available for analysis if they were cleaned up during the backup process.
Appendix
How to Create Multi-Account
- Select three-dot menu icon > ‘Settings’ > ‘Account’ > ‘Add account’.
- Select [Agree and continue], then enter a different phone number.
- Enter the verification code sent via SMS or call, then complete your profile setup.
How to Switch Account
Select three-dot menu icon > ‘Switch accounts’ to switch between accounts. This option is available only when multiple accounts are registered.
For more details, visit the official WhatsApp website.
