WeChat does not make use of a database directory. On the contrary, MicroMag serves to be its equivalent. The directory present in the MicroMag contains the EnMicroMsg.db<\/strong> database. This file stores all the chat messages of WeChat. However, this database is encrypted by using SQLCipher<\/strong>. It is an open source extension that is used for encrypting the entire database with 256-bit AES encryption. Nevertheless, the positive aspect about this encryption is that, the key for decrypting the file is present on the device itself.<\/p>\n During WeChat forensics, there are four different parameters, which are used to encrypt and decrypt the data stored in EnMicroMsg.db. These are:<\/p>\n This parameter is used for setting the key that needs to be use with the database.<\/p>\n This disables the use of per-page HMAC checks for compatibility with SQLCipher 1.1.<\/p>\n This is used for changing the default size of the page to improve performance.<\/p>\n This parameter changes the count of iterations that are used with PBKDF2 key derivation.<\/p>\n In WeChat analysis to decrypt the EnMicroMsg.db file, the KEY plays the most important role. It is generated from the MD5 Hash value that is a combination of IMEI and UIN. Only the first 7 characters of the value generated by the MD5 hash is used as a KEY.<\/p>\n IMEI (International Mobile Identification Number<\/strong>) is the unique 15-digits number, which is written at the back of the mobile. You can also enter *#06# to see the IMEI number.<\/p>\n UIN<\/strong> (Unique Identifier)<\/strong> is the number that can be found from the WeChat application folder in the file system_cnfig_prefs.xml<\/strong>.<\/p>\n The formula for generating the KEY with UIN and IMEI number is<\/p>\n![\"WeChat](\"https:\/\/www.acquireforensics.com\/blog\/wp-content\/uploads\/2015\/10\/data1.png\")
<\/a><\/p>\n\n
\n
\n
\n
Manual Decryption Of EnMicroMsg.db Under WeChat Forensics<\/strong><\/h2>\n