Forensic analysis of Telegram Messenger for Windows Phone

Forensic analysis of Telegram Messenger for Windows Phone

Digital Investigation xxx (2017) 1e19 Contents lists available at ScienceDirect Digital Investigation journal homepage: www.elsevier.com/locate/diin...
Download PDF
7MB Sizes 415 Downloads 696 Views
Report

Digital Investigation xxx (2017) 1e19

Contents lists available at ScienceDirect

Digital Investigation journal homepage: www.elsevier.com/locate/diin

Forensic analysis of Telegram Messenger for Windows Phone J. Gregorio, A. Gardel*, B. Alarcos , 28871 Alcala  de Henares, Madrid, Spain Instituto Universitario de Ciencias Policiales, Universidad de Alcala

a r t i c l e i n f o

a b s t r a c t

Article history: Received 8 March 2017 Received in revised form 14 July 2017 Accepted 18 July 2017 Available online xxx

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation. © 2017 Elsevier Ltd. All rights reserved.

Keywords: Forensic analysis methodology Telegram Messenger Instant messaging Smartphones Windows Phone

Introduction The wide variety of forms of communication available today include voice calls, text messages, multimedia messages, emails, VoIP calls and instant messaging. Thanks to the development of fast data networks (e.g. WiFi, 3G, 4G) and the use of digital devices (e.g. smartphones, tablets, smartwatches), such communication is established immediately. In addition, specific functions have been developed to verify the information transmitted (e.g. text, images, videos, documents), facilitating user interaction. However, the speed at which these new technologies are changing and the high number of applications available whose primary function is instant messaging (IM), render it necessary to conduct detailed studies of this kind of application. Different platforms (mobile or desktop environments) host a wide range of applications whose main but not exclusive function is IM (e.g. Facebook Messenger, iMessage, Line, Signal, Snapchat, Tango, Telegram, QQ, Threema, Viber, WeChat, WhatsApp) (Husain et al., 2010). Similarly, many other applications (e.g. POF, MeetMe, Wallapop) are not primarily intended for instant communication between users but nevertheless include this function. IM has become an essential means of communication used on countless occasions, far outstripping voice calls or text messages (SMS) (Lundgren, 2015;

* Corresponding author. E-mail addresses: [email protected] (J. Gregorio), [email protected] (A. Gardel), [email protected] (B. Alarcos).

Woollaston, 2013). IM applications are no longer used solely for personal communication but are also increasingly employed in business and professional environments as a means of official communication, and as a vehicle for criminal acts such as threats, phishing, cyberbullying, grooming and terrorist propaganda (Ragan, 2015; Cuthbertson, 2015; Engel, 2015; Kharpal, 2015; Clare Foges, 2015). This paper presents a new forensic analysis methodology is proposed and applied to the information generated by the mobile application “Telegram Messenger” for “Windows Phone” (WP), since no previous studies of the information stored by this IM application for this platform have been found in the literature. Forensic analysts face various problems in relation to these applications, including constant upgrades and new features released with each new version (e.g. setting the frequency with which to delete messages on the recipient device, sending different file types, maximum size of files to send, voice calls via data or VoIP). There are several commercial forensic tools available that forensic analysts generally rely on to analyse the information generated by these applications; however, these tools do not always interpret all the information on the artifacts; they might produce false positives, or not cover the application or version in question). No single forensic tool covers all IM applications, or all of their features. Consequently, several of these tools are required in order to cover the full spectrum of mobile applications on the market. Unfortunately, many commercial tools base the range of applications they cover on the number of application downloads or even on client requests for the analysis of a specific application.

http://dx.doi.org/10.1016/j.diin.2017.07.004 1742-2876/© 2017 Elsevier Ltd. All rights reserved.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

2

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Forensic analysts cannot afford to be limited by these constraints or to rely solely on the information processing capacity of these tools, since they may not identify all the applications installed or may only perform a rudimentary analysis of the information. Thus, none of the commercial forensic tools examined in the present study (Cellebrite 2016a,b; Oxygen Forensics 2016; Magnet Forensics 2016) offered satisfactory support for “Telegram Messenger” for WP, rendering it necessary to analyse and interpret the data stored by this application. The rest of this article is organised as follows. The pertinent literature on forensic analysis and digital security is discussed in the “Related work” section. Then, the proposed methodology and the steps to conduct the analysis are described in the “Methodology for Forensic Analysis” section. The data structure used in Telegram Messenger Application for Windows Phone is described in next section “Data structure of Telegram Messenger for Windows Phone”. The commercial and/or open source tools used and the results obtained are detailed in the “Forensic Analysis of data extracted from Telegram Messenger” section. Some use cases are shown in the “Forensic use cases” section and the paper ends with the “Conclusions”. Related work The “Windows Phone” operating system does not currently have a large market share (International Data Corporation, 2016; Statista, 2016), being far surpassed by others. However, its mere existence, the constant development of new applications and their potential use to commit criminal acts all render it necessary to conduct technical studies of mobile applications, since they may at some point be subject to forensic analysis. Few technical forensic studies have been conducted on the applications available in Windows Phone Store. Similarly, the list of applications and updates compiled by some commercial forensic tools (Cellebrite 2016a,b; Magnet Forensics, 2014) is relatively brief. Although there are numerous studies on the forensic analysis of instant messaging applications, the present study differs not only in terms of the platform selected and its data management system, but also as regards how the information should be related. In contrast to the relational databases found on other systems, on “WP”, “Telegram Messenger” stores information in different data files which contain fixed and variable data structures, rendering it difficult to relate the data. As stated above, no technical studies have addressed this particular IM application for WP, although several papers are relevant to the forensic analysis methodology proposed here. Husain and Sridhar (2009) conducted a forensic analysis of three different instant messaging applications for the Apple iPhone (AIM, Yahoo! Messenger and Google Talk). Their study demonstrated the different IM artifacts that can be recovered, which include the password, conversation timestamp and conversation details. Some of this data were obtained in our study of the “Telegram Messenger” IM application. In a more recent study, Aditya Mahajan et al. (2013) conducted a forensic analysis of data on two social messaging applications (WhatsApp and Viber), and determined the kind of data and information (e.g. chat, voice calls, sending and receiving images, audio) stored on the device's internal memory on Android smartphones. As shown in the section “Forensic analysis”, the present study could prove helpful in relation to the structure of data stored in the application “Telegram Messenger” for “Android” devices. One important issue for forensic analysis is to reconstruct the timeline of the extracted data. Anglano (2014) has shown how to reconstruct the chronology of contacts and the messages

exchanged by users from the chat database, analysing deleted messages, when these were exchanged and which users exchanged them. The author provides a description of the information extracted from a study of the artifacts generated by WhatsApp Messenger, which is one of the methods included in the analysis methodology presented here. Besides conducting a forensic analysis of one of the applications with the largest market share, he also examined the artifacts, by generating different scenarios (or evidence of use). Also of relevance is the paper by Satrya et al. (2016), comparing IM on Android smartphones, in which the authors describe a digital forensic analysis of three social IM applications on Android smartphones: Telegram (“Secret Chat”), Line (“Hidden Chat”) and KakaoTalk (“Secret Chat”). They performed an offline and live logging forensic analysis of normal chat and private chat. The forensic analysis methodology proposed here is based on a combination of different analyses (open knowledge analysis, analysis of artifacts and analysis of source code) of the different functionalities (e.g. users, normal chat, secret chat, conversations) to determine the type of data and information stored in the internal memory and how these are related on social messenger applications. The previous studies analyzed in this paper were based mainly on the analysis of artifacts. Methodology for forensic analysis The proposed methodology for extracting and processing information in a forensic analysis of an IM application consists of the three steps described below; these can be combined together to provide insight into the data and their interpretation. 1. Open knowledge: A study of the various open data sources available, including technical studies, books, related blogs and others, to obtain information on the application. Depending on the case, this information should be verified by the forensic analyst. Due to the constant release of new versions and features, it is not sufficient to understand the basics of an application; rather, it is necessary to know about each new feature that has been added, modified or removed, in order to possess a detailed knowledge of the tool's potential. Sometimes, the developer may provide information about application features, functions and data structure and organisation (schema, functions, data folder and files). This step should be repeated with each new version of the application under examination. 2. Analysis of artifacts: The study of open data sources should be followed by a study of artifacts or the traces these generate on digital devices (e.g. log records, data files). For this, the various commercial and open source forensic tools available should be deployed in the forensic laboratory to identify, acquire, preserve, document, analyse and present the data extracted from the digital evidence, without altering the elements studied and enabling the reproduction of this process at any time by another analyst (ISO/IEC 2012). This step should be repeated several times to obtain the various artifacts and digital evidence generated by the application. 3. Source code: The last step is to study the application programming, obtaining information from the source code itself. This method presents an added complication in that the analyst must know or even learn the programming language in which the application is written. A source code study yields a more technical and detailed level of knowledge about how the application works. When the source code it is not available, it may be necessary to carry out reverse engineering to discover the behavior of the application. This step should be repeated with each new version of the application.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

The proposed methodology is implemented by means of the sum of the three above described methods. The analysis of artifacts is the most common method, but is supported by the other two methods to improve the understanding of the information data structures of the application and to increase the confidence in the correct meaning and interpretation of the data structures. The reliability of the forensic analysis results is very important in the court processes. In some cases, it is not possible to apply some of the above methods for different reasons (e.g. lack of information in the Open Knowledge sources, information comes from non-trusted sources, it is not possible to replicate an experiment because the application is obsolete or device that generated the artifacts in the past is now not available, lack of public source code, etc.). In this situation, the methodology must use the sum of the available methods to obtain the most accurate and reliable information for the forensic analysis. When the analysis starts, the three methods are usually applied in the described order. However, along the analysis process it is necessary to switch between methods to contrast or clarify the results obtained. So, we can summary that the three methods are mutually complementary (Fig. 1). The described methodology pretends the analyst gathers as much information as possible from a mobile application, regardless of the app version or the used operating system. In addition, using the sum of the three methods provides more confidence over the authenticity of the resulting information.

Data structure of Telegram Messenger for Windows Phone Before starting the analysis of Telegram Messenger for WP using the proposed methodology, this section is devoted to explaining how to interpret the data structure used by telegram application and how to parse the data obtained from an artifact according to the data structure. Applying the open knowledge method, we have found out that the data structures are defined by means of “TL Language”, which consists of different object types (e.g. “User”, “Chat”, “Dialog”, “Participant”, “Photo”, “FileLocation”) depending on the type of information stored. In turn, each object type has different

3

constructors. These constructors correspond to the different data structures where information is stored. For example, the object type “User” (user information) has the constructors “userContact” and “userDelete”, among others, while the object type “Chat” (chat information) includes the constructors “chat” and “chatEmpty”. Some constructor data structures include other structures, forming nested data structures, as is the case with the object type “UserProfilePhoto” and its constructor “userProfilePhoto”. This constructor stores the structure with the information corresponding to the user's profile photo, which includes the location of the image file. This location is stored by means of the data structure of the constructor “fileLocation” (object type “FileLocation”). The constructor “userProfilePhoto” consists of four fields: the first “Id” (type “Int”) is the unique identifier of the constructor “userProfilePhoto” (0xC8D859D5), the second “photo_id” (type “Long”) is the unique code for the photo, and the last two fields, “photo_small” and “photo_big”, (object type “FileLocation”, TL Language) which identify the location of the profile image file in small and large format (Fig. 2) These two “photo_small” and “photo_big” fields contain the fields corresponding to the data structure of the constructor “fileLocation”: “Id” (the unique identifier of the constructor), “dc_id”, “volume_id”, “local_id” and “secret” (Userprofilephoto constructor; Filelocation constructor). An example of the data structure stored by the constructor “userProfilePhoto” in the “users.dat” data file is shown in Fig. 3 (obtained from artifacts analysis), with corresponding fields shown in the above Fig. 2 (obtained from open knowledge). The beginning of the “userProfilePhoto” constructor data structure is identified by means of its “Id” field corresponding to the hexadecimal value 0xC8D859D5, followed by the “photo_id” field with the hexadecimal value 0xAAA7311B6BB2????, and then the structure of the constructor “fileLocation”, repeated twice corresponding to the “photo_small” and “photo_big” fields. This structure contains the fields “Id”, with a hexadecimal value of 0x7690D653, “dc_id”, “volume_id”, “local_id” and “secret”. Fig. 3 shows the “userProfilePhoto” structure from a particular “users.dat” file example. Those data are displayed in humanreadable format in Table 1. As with all other unique constructor identifiers, the “Id” fields of the constructors “userProfilePhoto” and “fileLocation” (highlighted data in Fig. 2) are stored in data files in “big endian” format, although in the documentation provided by the application, these “Id” fields are displayed in “little endian” format (Fig. 3). In this case, the data structure has been obtained by means of open knowledge (Data structure of Telegram Messenger), public information provided by the application developer. The application has been verified later applying the analysis of the artifacts and the examination of the source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)) provided by de application developer as well. So, the obtained data has been validated using the three proposed methods. Forensic analysis of data extracted from Telegram Messenger

Fig. 1. Conceptual relationship between the three methods proposed in the methodology.

This section describes the forensic analysis of “Telegram Messenger” for WP, using the steps described in the proposed methodology. Due to the different functionalities of IM applications, this paper focuses on those that form the subject of forensic analysis in criminal investigations, while also indicating how to interpret the information contained in the internal memory files of the devices. “Telegram Messenger” offers the typical functions of any instant messaging application. For the present study, an analysis was conducted of the information generated or modified during normal use of the application, such as updating contact information (e.g.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

4

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Fig. 2. Example of “userProfilePhoto” structure.

Fig. 3. Example of “userProfilePhoto” structure. “users.dat” data file. Data shown have been redacted to ensure the privacy of the user.

Table 1 Values from in human-readable format (partial data). Field

Number of bytes

Type

Hexadecimal format

Human-readable format

Id userProfilePhoto photo_id photo_small.fileLocation.Id photo_small.fileLocation.dc_id photo_small.fileLocation.volume_id photo_small.fileLocation.local_id photo_small.fileLocation.secret photo_big.fileLocation.Id photo_big.fileLocation.dc_id photo_big.fileLocation.volume_id photo_big.fileLocation.local_id photo_big.fileLocation.secret

4 8 4 4 8 4 8 4 4 8 4 8

int long int int long int long int int long int long

0xC8D859D5 0xAAA7311B28DB???? 0x7690D653 0x01000000 0xCA2D????00000000 0x9D680000. 0xEA3493DBB3?????? 0x7690D653 0x01000000 0xCA2D????00000000 0x9D680000. 0x28DB34B7B6??????

userProfilePhoto constructor 333????????31018 fileLocation constructor 1 70?????62 26781 585????????????3146 fileLocation constructor 1 70?????62 26781 147?????????????5080

adding, deleting, blocking), identifying the type of chat (e.g. userto-user, secret chats, group, channel) and identifying the type of message transmitted (e.g. text, images, video, music, file, location, contact). The study of these IM applications is complex, not solely because of the variety of platforms on which they can be installed, but also due to their high number and diversity, and to constant updates (e.g. removing bugs, adding new features). A description is given below of the technical study conducted according to the steps listed in Section Methodology for forensic analysis. First, a review was conducted of the open knowledge (Data structure of Telegram Messenger) on the application. “Telegram Messenger” provides several links on the website to articles describing how information is organised in different files and structured by the application to store user data. With respect to the second step, the study of artifacts, physical devices or virtual environments can be used. Virtual environments are based on software capable to emulate a physical device. The following physical mobile devices were used due to their availability: Nokia Lumia 625, WP 8.0, Telegram Messenger 1.12.1.0 and Nokia Lumia 1320, WP 8.1, Telegram Messenger 1.27.0.0. To gain a better understanding of the application, the study was conducted using different versions of the mobile device, operating system and application, in order to determine differences in file location and information management, as well as the information (decoding and analysis) provided by the various commercial forensic tools (UFED

Touch 4.2, UFED Physical Analyzer 4.5.1.13, Oxygen Forensics Analysis 8.1.0.105, Internet Evidence Finder 6.8.1.2634 and WinHex 18.8). The physical devices were used to run a variety of functions (e.g. update contact information, send messages). In addition, the information was rigorously extracted, documented, analyzed and preserved in accordance with manuals on good forensic practice (ENFSI 2015). Windows Phone data were acquired using UFED Touch 4.2. This tool can perform different types of extraction on Nokia Lumia 625 and Nokia Lumia 1320 devices, including logical and physical extraction. Data were acquired by means of physical extraction (a physical image), which yields a better level of information than logical extraction. Third, a comprehensive analysis was conducted of the application source code. In this case, the “Telegram Messenger” website provides the source code for the operating systems supported (Source Code Application Telegram Messenger (Telegram for Windows Phone)). In particular, the source code is written using C#. All the tests conducted to study the artifacts generated by contact information updates, chats, conversations, messages, secret chats and secret messages were contrasted with the “Telegram Messenger” source code. In our work, the proposed methodology has been applied over several versions of the Telegram Messenger and different versions of the operating system. In general, we can say that the proposed methodology can be applied no matter what application version

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

and operating system is used. While the technical details have not been attached, in order to not extend the paper, we have to say that the proposed methodology has also been used to make a forensic analysis of “Telegram Messenger” on Android. The data structures have been obtained applying open knowledge (Data structure of Telegram Messenger). The artifact study has been carried out using data extracted (ENFSI 2015) from mobile devices (LG Nexus 5, Android 6.0.1, Telegram Messenger 3.6.0), and finally, the source code provided by the application developer has been analyzed (Source Code Application Telegram Messenger (Telegram for Android)). For the technical part of this paper, the three steps outlined above were employed to obtain very diverse information about the application; nevertheless, this article primarily focuses on the artifacts generated by the application on physical devices, supported by a study of open knowledge and the source code.

Analysis of the relation between user data files This section illustrates the relation between the data structures described above, located in different user data files. Having examined the steps listed in the “Methodology” section, it is now time to explore the structure of the information stored in the user data files (e.g. “users.dat”, “chats.dat”, “encryptedChats.dat” and “dialogs.dat”). Unlike relational databases (e.g. SQLite), in which data from different tables are related through queries, the relation of data contained in the data files (Table 2, rows 3e6) is more complicated, not only due to how the information is structured but also because of the way in which data files are stored. The information is stored in a fixed and/or variable data structure, differing from the database structure. In addition, in order to process the information stored in the data files (Table 2, rows 3e6) correctly, it must be displayed in hexadecimal format performing different conversions to obtain values intelligible to humans. A study of open knowledge, the artifacts stored in the internal memory of the device and source code revealed that “Telegram Messenger” organises information using different files. Table 2 shows the location of application preferences and notifications (Table 2, row 1), log records (Table 2, row 2), information on the messages exchanged (Table 2, rows 3e6), multimedia files (Table 2, row 7) and other data files (Table 2, row 8). Depending on the device, this information is stored in a different folder. In the case of the Nokia Lumia 635 device, the folder is “Data/Root/Users/DefApps/APPDATA/ {945B96A7-AADC-4DD0-806A-C2D1E0E6CA9A}/Local/”, while for the Nokia Lumia 1320 device, it is “Data/Root/Users/DefApps/APPDATA/Local/Packages/TelegramMessengerLLP.TelegramMessenger Beta_t4vj0pshhgkwm/LocalState/”. Fig. 4 shows the relationship among the different user data files (“users.dat”, “chats.dat”, “encryptedChats.dat” and “dialogs.dat”).

5

Analysis of user information As with any other type of application (not only IM), the user information obtained is of utmost importance in a criminal investigation, since it can be used to identify contacts and relate them to the user. With “Telegram Messenger” for WP, user information is stored in the “users.dat” data file. This section identifies the constructors or types of user of the object type “User”, following the study of open knowledge, artifacts and the source code, obtaining updated data structure information from the latter. The analysis of the “users.dat” file is detailed below. The “users.dat” file contains the records of different types of user, organised into data structures corresponding to the constructors given in Table 3. The information of the data structure and related constructors have been obtained from the open knowledge sources available from (Data structure of Telegram Messenger). Fig. 5 gives examples of the different object type “Users” data structures located in the “users.dat” file, which stores the user from contacts list, user with known phone, user not from the contacts list, deleted user, non-existent user, current authorized user. As can be seen, these data structures store a number of different fields depending on the type of user. The application file “user.dat” is an important artifact containing the user information that has been mapped on the data structure taken out from the open knowledge sources. Fig. 6 shows the data retrieved from a particular “users.dat” file example. Those data are displayed in human-readable format in Table 4. Finally, reviewing the source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)) has been identified the functions that process the user data (write, read, etc) as shows Fig. 7. Analizing these functions has been validated the data structures and the artifacts data. Analysis of chat and secret chat information Through the study of open knowledge, artifacts and the source code, obtaining updated data structure information from the latter, it is possible to identify different types of chat on “Telegram Messenger”, information on which is stored depending on the type of chat (normal or secret), in the corresponding data file. The information obtained from these files is of great importance in criminal investigations, since it can be used to identify users of a given chat, for example. Types of chat are listed below.  User-to-user chat: in this type of chat, two users exchange information (e.g. messages, contacts, images). Information on user-to-user chats is stored in the cloud (or on application servers) in such a way that it is accessible to either user via the

Table 2 Telegram Messenger artifacts in WP. Row#

Content

File name (with extension)

Description

1 2 3 4

ApplicationSettings CommonNotifySettings.xml {YYYY}-{MM}-{DD}.txt users.dat chats.dat, encryptedChats.dat

Preferences and notify settings Events record. Users record Chats and encrypted chats record

dialogs.dat

Messages record

6

Configuration files Log data Users data Chats and encrypted chats data Conversations and messages data Temporal data files

Temp files

7 8

Multimedia files Data files

temp_dialogs.dat, temp_users.dat, temp_chats.dat, temp_encryptedChats.dat etc. Video, Audio, Documents, Images, etc. allStickers.dat, broadcasts.dat, cachedServerFiles.dat, importedPhones.dat, passcode_params.dat, PeopleHub.dat, state.dat

5

Files transferred Others data files

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

6

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Fig. 4. Relationship of user data files.

Table 3 Constructors of object type “User”. Row#

Object

Type

Constructor name

Description

1 2 3 4 5 6

User User User User User User

Contact Request Foreign Deleted Empty Owner

userContact userRequest userForeign userDeleted userEmpty userSelf

User from the contacts list User not from the contacts list with known phone number (e.g. support app, number phone 42777) User not from the contacts list (e.g. @{username}) User deleted from application. Non-existent user. Current authorized user (owner of application).

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

7

Fig. 5. Example of “User” type structures. “users.dat” data file.

Fig. 6. Example of “User” type structures. “users.dat” data file. “/Data/Root/Users/DefApps/APPDATA/{945B96A7-AADC-4DD0-806A-C2D1E0E6CA9A}/Local/” folder. (Nokia Lumia 635). Data redacted to ensure the privacy of the user.

mobile application (Telegram Messenger), the desktop application (Telegram Desktop) or the web browser (Telegram web).  Secret chat: as with the previous case, secret chats correspond to the exchange of information between two users, but unlike the former, an extra layer of security in the form of end-to-end encryption is added to this chat, hindering information theft. In contrast to the “user-to-user chat”, “secret chat” information can only be accessed via the application installed on the mobile device.  Group and supergroup chats: unlike the two previous types of chat, this type allows the exchange of information between more than two users. The difference between a “Group” and a “Supergroup” chat is the maximum number of members permitted, which in the case of the latter is up to 5000 members.  Channel: this corresponds to a type of chat used as a medium for publishing information. There is no limit on the number of members and there are two types of channel. Public channels place no restriction on who can join, other than the need to

know the name of the channel. Private channels do place access restrictions, and members can only join via an invitation link. Clearly, the information provided by these types of chat is highly relevant, since it can be used to identify the type of chat (user-touser, secret chats, group, channels), participants, the administrator and the date of invitation to the chat, among other things. Depending on the type of chat, this information is stored in the “chats.dat” file or in the “encryptedChats.dat” file. This section identifies the constructors or chat types of the object types “Chat” and “EncryptedChat”. An analysis of the “chats.dat” and “encryptedChats.dat” files is given below. The structure of the chat The “chats.dat” file contains information on the different types of chat (“user-to-user”, “group” or “supergroup” and “channel”), organised into data structures corresponding to the constructors

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

8

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Table 4 Values in human-readable format (partial data). Field

Number of bytes

Type

Hexadecimal format

Human-readable format

userContact.Id User_id FirstName LastName UserName AccessHash Phone Photo.userProfilePhoto.Id Photo.photo_id Photo.photo_small.fileLocation.Id Photo.photo_small.fileLocation.dc_id Photo.photo_small.fileLocation.volume_id Photo.photo_small.fileLocation.local_id Photo.photo_small.fileLocation.secret Photo.photo_big.fileLocation.Id Photo.photo_big.fileLocation.dc_id Photo.photo_big.fileLocation.volume_id Photo.photo_big.fileLocation.local_id Photo.photo_big.fileLocation.secret Status NotifySettings.NotifySettings.Id NotifySettings.MuteUntil NotifySettings.Sound NotifySettings.ShowPreviews NotifySettings.EventsMask ExtendedInfo Contact.Contact.Id Contact.id_user Contact.mutual

4 4 Variable Variable Variable 8 Variable 4 8 4 4 8 4 8 4 4 8 4 8 4 4 4 variable 4 4 4 4 4 4

int int string String String long string int long int int long int long int int long int long int int int string int int int int int int

0x185EB3CA 0x7399???? 0x07; 0x??????????6E65 0x00000000 0x07; 0x??????????6B6F 0x????????????8C17 0x0B; 0x??????????????????3937 0xC8D859D5 0xA5A8311B73990208 0x7690D653 0x04000000 0x412F????00000000 0x883B0000 0x585B774D???????? 0x7690D653 0x04000000 0x412F????00000000 0x8A3B0000 0x0D347136???????? 0xF1426FE2 0xEE115E8D 0xFFFFFF7F 0x07; 0x44656661756C74 0xB5757299 0x00000000 0xCC0B7356 0x94C911F9 0x7399???? 0xB5757299

userContact constructor 13??????3 Long: 7; data: “?????ne” Empty Long:7; data: “?????ko” 169??????????????33 Long:11; data:”’?????????97” userProfilePhoto constructor 577192421913372837 fileLocation constructor 4 42??????5 15240 62??????????????088 fileLocation constructor 4 42??????5 15242 92??????????????635 UserStatusRecently PeerNotifySettings contructor Tue, 19 Jan 2038 03:14:07 GMT Long:7; data:”default” boolTrue 0 Null Contact constructor 13??????3 boolTrue

Fig. 7. Example of “ToStream” function on source code for “userContact” constructor. “telegram_wp.src\Telegram WP\Telegram WP\HexRequest\HexRequest\TL\TLUserBase.cs” file. “User” type structures.

given in Table 5. Once again, the data structure and related constructors have been obtained from the open knowledge sources (Data structure of Telegram Messenger). Fig. 8 shows several examples of the different data structures of the object type “Chat”, located in the “chats.dat” file, which stores the information corresponding to a chat, chat doesn't exist, and chat may not be accessed by the user. The information stored in the “chats.dat” file should not be confused with the log of exchanged

messages, information on which is stored in the “dialogs.dat” file, as explained below. The application file “chats.dat” is an important artifact containing the user information that has been mapped on the data structure taken out from the open knowledge sources. Fig. 9 shows the data retrieved from a particular “chats.dat” file example. Those data are displayed in human-readable format in Table 6.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

9

Table 5 Constructors of object type “Chat”. Row#

Object

Type of chat

App name

Description

1 2 3

Chat Chat Chat

Empty Chat Forbidden

chatEmpty chat chatForbidden

Chat of group doesn't exist. Chat. Group that cannot be accessed by the user

Fig. 8. Example of “Chat” type structures. “chats.dat” data file.

Fig. 9. Example of “Chat” type structures. “chats.dat” data file. “/Data/Root/Users/DefApps/APPDATA/{945B96A7-AADC-4DD0-806A-C2D1E0E6CA9A}/Local/” folder. (Nokia Lumia 635). Data redacted to ensure the privacy of the user.

Finally, reviewing the source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)) the functions that process the user data has been identified (e.g. write, read, etc.) as shows Fig. 10. The data structures and the artifacts data have been validated from the analysis of the code inside those functions.

The structure of the secret chat The “encryptedChats.dat” file only contains a log of secret chats (user-to-user), information on which is organised into data structures corresponding to the different constructors given in Table 7. As in previous sections, the information of the data structure and

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

10

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Table 6 Values from Fig. 9 in human-readable format (partial data). Field

Number of bytes

Type

Hexadecimal format

Human-readable format

chat.Id Id Title Photo.Id Photo.photo_small.fileLocation.Id Photo.photo_small.fileLocation.dc_id Photo.photo_small.fileLocation.volume_id Photo.photo_small.fileLocation.local_id Photo.photo_small.fileLocation.secret Photo.photo_big.fileLocation.Id Photo.photo_big.fileLocation.dc_id Photo.photo_big.fileLocation.volume_id Photo.photo_big.fileLocation.local_id Photo.photo_big.fileLocation.secret ParticipantsCount Date Left Version chatParticipants.Id chatParticipants.chat_id chatParticipants.admin_id Participants Participants.count Participants (1).Id Participants (1).user_id Participants (1).inviter_id Participants (1).date Participants (2).Id Participants (2).user_id Participants (2).inviter_id Participants (2).date ParticipantsCount NotifySettings.NotifySettings.Id NotifySettings.MuteUntil NotifySettings.Sound NotifySettings.ShowPreviews NotifySettings.EventsMask

4 4 variable 4 4 4 8 4 8 4 4 8 4 8 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 variable 4 4

int int string int int int long int long int int long int long int int int int int int int int int int int int int int int int int int int int string int int

0xC79B9C6E 0x3993BC08 0x45; from 0xD985D8 to 0x??????00 0x6A275361 0x7690D653 0x02000000 0xD1D6470D00000000 0x851E0100 0xBFE6BA1EE1CF5F0D 0x7690D653 0x02000000 0xD1D6470D00000000 0x871E0100 0xF615D1A6082284B6 0x2C000000 0x771D5F57 0x379779BC 0x31000000 0x15B44178 0x3993BC08 0x21E51804 0x15C4B51C 0x2B000000 0x3E49D7C8 0x6F39???? 0x8AB3???? 0x16275F57 0x3E49D7C8 0xB863???? 0x8AB3???? 0xF8265F57 0x2C000000 0xEE115E8D 0xFFFFFF7F 0x07; 0x44656661756C74 0xB5757299 0x00000000

chat constructor 146576185 Long: 69; data: “??????????” Photo constructor fileLocation constructor 2 222811857 73349 963717411070731967 fileLocation constructor 2 222811857 73351 5295069841327057418 44 Mon, 13 Jun 2016 20:54:15 GMT booltrue 49 chatParticipants constructor 146576185 68740385 Vector constructor 43 chatParticipant constructor 14?????67 18?????42 Mon, 13 Jun 2016 21:35:18 GMT chatParticipant constructor 11?????52 18?????42 Mon, 13 Jun 2016 21:34:48 GMT 44 PeerNotifySettings contructor Tue, 19 Jan 2038 03:14:07 GMT Long:7; data:”default” boolTrue 0

Fig. 10. Example of “ToStream” function on source code for “chat” constructor. “telegram_wp.src\Telegram WP\Telegram WP\HexRequest\HexRequest\TL\TLChat.cs” file. “Chat” type structures.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

related constructors have been obtained from the open knowledge sources (Data structure of Telegram Messenger). Likewise, the artifacts analysis and source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)) review assist in the verification and validation of the results. In this case has been analyzed the functions that write data in the file “encryptedChats.dat”. Fig. 11 gives examples of the different data structures of the object type “EncryptedChat”, located in the “encryptedChats.dat” file, which stores information corresponding to an encrypted chat, request for creation of an encrypted chat, encrypted chat doesn't exist, delete encrypted chat, encrypted chat waiting for approval. As with the “chats.dat” file, the information stored in the “encryptedChats.dat” file should not be confused with the log of secret messages exchanged, information on which is stored in the “dialogs.dat” file, as explained below. Analysis of conversation and secret conversation information Once the chats and participating users have been identified (“users.dat”, “chats.dat” and “encryptedChats.dat” files), the information exchanged between chat users can be extracted. Message information identifies not only the message itself (e.g. text, image, video), but also the contact, the type of information sent, status (e.g. received, read), the date of the message and so on. This section identifies the messages and secret messages stored in the “dialogs.dat” data file, following the study of open knowledge, artifacts and the source code, obtaining updated data structure information from the latter. The structure of the message and secret message There are different types of message, and consequently different object types such as “Message”, “MessageMedia”,

11

“DecryptedMessage” and “DecryptedMessageMedia”, corresponding to messages, multimedia messages, secret messages and secret multimedia messages, respectively. An explanation will be given below of how these structures are included in other main structures such as the object type “Dialog”. The “dialogs.dat” file contains a log of messages and messages with attachment, information on which is organised into data structures corresponding to the different constructors given in Table 8. The information of the data structures and related constructors has been obtained from the open knowledge sources (Data structure of Telegram Messenger). Thus, depending on the type of message (normal or media), the “dialogs.dat” file contains the data structures of “messageEmpty”, “message”, “messageService”, “messageForbidden”, “messageMediaEmpty”, “messageMediaPhoto”, “messageMediaVideo”, “messageMediaGeo”, “messageMediaContact”, “messageMediaDocument” and “messageMediaAudio”. Fig. 12 gives examples of the different data structures of object types “Message” and “MessageMedia”, which store information corresponding to text message, message service, message with photo attachment and message with document attachment. The application file “dialogs.dat” is an important artifact containing the user information that has been mapped on the data structure taken out from the open knowledge sources. Fig. 13 shows the messages retrieved from a particular “dialogs.dat” file example. Those data are displayed in human-readable format in Table 9. As in previous sections, the functions obtained from the source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)), as shows Fig. 14, has been used to validate the data structures and the artifacts data. The “dialogs.dat” file also contains a log of secret messages and secret media messages, information on which is organised into data

Table 7 Constructors of object type “EncryptedChat”. Row#

Object

Type of chat

App Name

Description

1 2 3 3 4

EncryptedChat EncryptedChat EncryptedChat EncryptedChat EncryptedChat

Empty Waiting Requested Chat secret Discarded

encryptedChatEmpty encryptedChatWaiting encryptedChatRequested encryptedChat encryptedChatDiscarded

Encrypted chat doesn't exist Encrypted chat waiting for approval of second participant Request for creation of an encrypted chat. Encrypted chat (user-to-user) Encrypted chat discarded, deleted chat

Fig. 11. Example of “EncryptedChat” type structures. “encryptedChats.dat” data file.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

12

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Table 8 Constructors of object type “Message” and “MessageMedia”. Row#

Object

Type of message

App Name

Description

1 2 3 4 5 6 7 8 9 10 11

Message Message Message Message MessageMedia MessageMedia MessageMedia MessageMedia MessageMedia MessageMedia MessageMedia

Empty Message Service Forbidden Empty Photo Video Geo Contact Message Document Message Audio

messageEmpty message messageService messageForbidden messageMediaEmpty messageMediaPhoto messageMediaVideo messageMediaGeo messageMediaContact messageMediaDocument messageMediaAudio

Non message Normal Message Service message Forwarded message Attachment empty Attachment photo Attachment video Attachment Geo-Position. Attachment contact Attachment document Attachment audio

Fig. 12. Example of “Messages” and “MessageMedia” type structures.

Fig. 13. Example of “Messages” type structure. “dialogs.dat” file. “/Data/Root/Users/DefApps/APPDATA/{945B96A7-AADC-4DD0-806A-C2D1E0E6CA9A}/Local/” folder (Nokia Lumia 635). Data redacted to ensure the privacy of the user.

Table 9 Values from Fig. 13 in human-readable format (partial data). Sub-Field

Number of bytes

Type

Hexadecimal format

Human-readable format

message.Id flags id from_id to_id reply date message media customFlags randomId status

4 4 4 4 4 4 4 variable 8 4 8 4

int int int int int int int string long int long int

0x250306C3 0x01000000 0x61580000 0x7EBE???? 0xBBE5???? 0x3993BC08 0xDA356057 0x13; 0xD8??????????????????????????A7??????B1 0x2063ED3D 0xCC0B7356 0x0000000000000000 0x00000000

message constructor 1 22625 19?????98 31??????75 146576185 (chat id) Tue, 14 Jun 2016 16:50:34 GMT Long:19; data:”?????????????” MessageMediaEmpty Null 0 0

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

13

Fig. 14. Example of “ToStream” function on source code for “message” constructor. “telegram_wp.src\Telegram WP\Telegram WP\HexRequest\HexRequest\TL\TLMessage.cs” file. “Messages” type structures.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

14

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Table 10 Constructors of object type “DecryptedMessage” and “DecryptedMessageMedia”. Row#

Object

Type of message

App Name

Description

1 2 3 4 5 6 7 8 9

DM DM DMM DMM DMM DMM DMM DMM DMM

DM DM Service DMM Empty DMM Photo DMM Video DMM GeoPoint DMM Contact DMM Document DMM Audio

decryptedMessage decryptedMessageService decryptedMessageMediaEmpty decryptedMessageMediaPhoto decryptedMessageMediaVideo decryptedMessageMediaGeoPoint decryptedMessageMediaContact decryptedMessageMediaDocument decryptedMessageMediaAudio

Secret Message Service message Attachment secret Attachment secret Attachment secret Attachment secret Attachment secret Attachment secret Attachment secret

empty photo video Geo-Position contact document audio

*DM ¼ DecryptedMessage, DMM ¼ DecryptedMessageMedia.

Fig. 15. Example of “decryptedMessages” and “decryptedMessageMedia” type structures.

Table 11 Constructors of object type “Dialog”. Row#

Object

Type of dialog

App name

Description

1 2

Dialog Dialog

dialog dialog secret

dialog Unknown

Conversations Secret conversations

structures corresponding to the different constructors given in Table 10. The data structures and related constructors of secret messages and secret media messages is obtained from open knowledge (Data

structure of Telegram Messenger), and it has been validated with the data of the artifact “dialogs.dat” and the source code related functions (Source Code Application Telegram Messenger (Telegram for Windows Phone)). Fig. 15 shows several examples of the different data structures of object types “DecryptedMessage” and “DecryptedMessageMedia”, which store information corresponding to a secret message, secret message service, secret message with photo attachment, secret message with document attachment and secret message with audio attachment.

Fig. 16. Example of conversation type structures. “dialogs.dat” data file.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

15

Fig. 17. Example of secret conversations in a “dialogs.dat” data file. “/Data/Root/Users/DefApps/APPDATA/Local/Packages/TelegramMessengerLLP.TelegramMessengerBeta_t4vj0pshhgkwm/LocalState/” folder. (Nokia Lumia 1320). Data redacted to ensure the privacy of the user.

The structure of the conversation and secret conversation As mentioned earlier, the “dialogs.dat” data file contains information on conversations and secret conversations (users, chats and messages), organised into data structures corresponding to the constructors given in Table 11. The data structure and related constructors are obtained from the open knowledge sources (Data structure of Telegram Messenger). Fig. 16 gives an example of how the different data structures of “dialog” and “dialogSecret” are stored inside the “dialogs.dat” file.

These data structures store all the information about a conversation, such as chat or user information and messages exchanged. The information of conversations and secret conversations have been obtained from the artifact “dialogs.dat” and mapped on the structures data extracted from the open knowledge (Data structure of Telegram Messenger) study. Fig. 17 shows the secret conversations retrieved from a particular “dialogs.dat” file example. Those data are displayed in humanreadable format in Table 12.

Table 12 Values from Fig. 17 in human-readable format (partial data). Sub-Field

Number of bytes

Type

Hexadecimal format

Human-readable format

SecretDialog.Id Peer.Id Chat_id TopDecryptedMessageRandomId UnreadCount With Messages Messages.count Messages (1).DecryptedMessage.Signature Messages (1).DecryptedMessage.Randomid Messages (1).DecryptedMessage.Randombytes Messages (1).DecryptedMessage.typemessage Messages (1).DecryptedMessage.Message Messages (1).DecryptedMessage.ChatId Messages (1).DecryptedMessage.InputFile Messages (1).DecryptedMessage.FromId Messages (1).DecryptedMessage.Out Messages (1).DecryptedMessage.Unread Messages (1).DecryptedMessage.Date Messages (1).DecryptedMessage.DeleteDate Messages (1).DecryptedMessage.Qts Messages (1).DecryptedMessage.status Messages (1).DecryptedMessage.count Messages (1).DecryptedMessage.Null Messages (2).DecryptedMessage.Signature Messages (2).DecryptedMessage.Randomid Messages (2).DecryptedMessage.Randombytes Messages (2).DecryptedMessage.typemessage Messages (2).DecryptedMessage.Message Messages (2).DecryptedMessage.ChatId

4 4 4 8 4 variable 4 4 4 8 4 4 variable 4 4 4 4 4 4 4 4 4 4 4 4 8 4 4 variable 4

int int int long int User type int int int long int int string int int int int int int int int int int int int long int int string int

0x02FFFFFF 0x04FFFFFF 0xB30D???? 0xD2245DE1A4A455C8 0x00000000 From 0x9A970DD1 to 0x3E000000 0x15C4B51C 0x0E000000 0xDE91B036 0x00000000D2245DE1 0xA4A455C8 0x000000000 0x07; 0x50657266656374 0xB30D???? 0xCC0B7356 0x6170???? 0xB5757299 0xB5757299 0x3E62F357 0xCC0B7356 0x03000000 0x0C000000 0x09000000 0xCC0B7356 0xDE91B036 0x0000000014EEC133 0x1183337A 0x000000000 0x0A;0x4F7468657207465737400 0xB30D????

SecretDialog constructor PeerEncryptedChat constructor 18?????611 D2245DE1A4A455C8 0 User data Vector constructor 14 DecryptedMessage constructor 3780977874 A4A455C8 0 Long: 7; data: “Perfect” 18?????611 Null 16?????65 boolTrue boolTrue Tue, 04 Oct 2016 08:03:10 GMT Null 3 12 9 Null DecryptedMessage constructor 0000000014EEC133 1183337A 0 Long: 10; data: “Other test” 18?????611

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

16

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Fig. 18. Example of “ToStream” function on source code for “dialog secret” constructor. “telegram_wp.src\Telegram WP\Telegram WP\HexRequest\HexRequest\TL\TLDDialog.cs” file. “SecretDialog” type structures.

Reviewing the source code (Source Code Application Telegram Messenger (Telegram for Windows Phone)) has been identified the functions that process the user data (write, read, etc.) as shows Fig. 18. Analizing these functions has been validated the data structures and the artifacts data.

modifications in notification data (e.g. location or storage of photos). Analysing the log files it can be found relevant information e.g. seek if a particular user has started the Telegram application or if any relevant data has been updated.

Analysis of settings and log files information

Forensic use cases

This subsection illustrates the analysis of settings and log files information. The file “ApplicationSettings.xml” stores application data settings (e.g. Country, IP v4/v6 and Port, CurrentUser, IsAuthorized and IsoFileName) and “CommonNotifySettings.xml” stores the notification data settings of the application (e.g. AskAllowingLocationServices, ContactSound, SaveIncomingPhotos and SendByEnter). The log files are plain text files with a name format {YYYY}-{MM}{DD}.txt. These are stored in order of date of generation and recorded in the application event log (e.g. application startup, update service and connection check), as it is shown in Fig. 19. Although the analysis of these files does not correspond to the user's messaging data (e.g. contacts, chat, conversations or messages), valuable information can be obtained from them, in order to reinforce or modify the conclusions obtained from other user's messaging data. Due to the diversity of the information that these files can store, in our paper we don't include an in-depth description. A detailed analysis of the LOG file may suppose another separate study. From the analysis of the configuration files it is possible to extract relevant information about the last update of the application data, use of servers (from Telegram or other providers) and

This section illustrates the relation between the data structures described above, obtained following the study of open knowledge, artifacts and the source code, and located in different data files. The procedures for obtaining different types of information are described below. Obtain user-to-user message information A common task in an IM forensic analysis is to retrieve a given message and the peer-user, given a known text. The actions are first find a message with that text and second obtain who is the peeruser.  To find the message with the given text the following steps has to be done: Search the text in the “dialogs.dat” file. The text shall be inside a message structure with a known constructor value equal to 0x250306C3 (message.Id field). Thus, searching this constructor value we can locate the reference to the beginning of the message and decode the rest of the fields following the known structure (Fig. 12): unique identifier of the message, identifier of the sender

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

17

Fig. 19. Events corresponding with “2016-10-04.txt” log file.

(from_id), identifier of the recipient (to_id), etc.). It is worth looking at the example shown in Fig. 13 and the human-readable format from Table 9.

Obtain user-to-user secret message information In this subsection we look for the information that can be extracted from a secret message, once we know some “secret” text.

 Identify who is the peer-user of that message:  Find the secret message from a given known “secret” text: Search the text of to_id identifier in the “users.dat” file (user_id field). Knowing that the constructor value of the user structure is 0x185EB3CA we can locate the reference to the beginning of the corresponding user and decode the rest of the fields using the user structure given in Fig. 5. Thus, one can obtain the user related fields (“user_id”,“FirstName”, “LastName”, “phone”, “photo”, “status”, etc.) of the peer-user. It is worth looking at the example shown in Fig. 6 and the human-readable format from Table 4. Obtain chat information Another common task is to retrieve not only the messages from a given chat but also the chat participants, knowing the chat name.  Retrieve data for a given chat name Search for the text corresponding to the chat name in the “chats.dat” file. The text should be inside a chat structure with a known constructor value equal to 0xC79B9C6E (chat.Id field). Thus, searching this constructor value we can locate the reference to the beginning of the corresponding chat and decode the rest of the fields following the known structure (Fig. 8) identifying the different fields of interest such as: “Id”, “title”, “date”, “photo”, “Participants.user_id”, etc. It is worth looking at the example shown in Fig. 9 and the human-readable format from Table 6.  Identify the users participant in that chat Search each one of the different identifiers listed inside the Participants.user_id field retrieved before as chat participants that will be different user_id fields in the “users.dat” file. Knowing that the constructor value of the user structure is 0x185EB3CA we can locate the reference to the beginning of the corresponding user and decode the rest of the fields using the user structure given in Fig. 5. Thus, one can obtain the user related fields (“user_id”,“FirstName”, “LastName”, “phone”, “photo”, “status”, etc.) of the peer-user. It is worth looking at the example shown in Fig. 6 and the humanreadable format from Table 4.

Search for the secret text (clear text) in the “dialogs.dat” file. The text shall be inside a secret message structure with a known constructor value equal to 0xDE91B036 (in a DecryptedMessage.Signature field). Thus, searching this constructor value we can locate the reference to the beginning of the secret message and decode the rest of the fields following the known structure (Fig. 15). It shall identify several fields such as: unique identifier of the message, (unique identifier of the message, unique identifier of the secret chat, identifier of the sender (DecryptedMessage.FromId), “date”, “typemessage”, “secret message”, “status”, etc.).  Identify who is the message peer-user: Search the literal text of DecryptedMessage.FromId identifier in the “users.dat” file (a user_id field). One can obtain the information from all the fields of this user_id following the similar procedure as the second step of 6.1 case: Identify who is the peer-user of that message. Obtain user-to-user secret conversation information Finally, we show how to obtain a given user-to-user secret conversation, knowning for example the phone number of the peer-user.  Find the conversations associated with a given telephone number. Search for the telephone number (as normal text) in the “dialogs.dat” file. The text shall be a field With.phone inside a SecretDialog structure with a known constructor value equal to 0x02FFFFFF (SecretDialog.Id field). Thus, searching this constructor value we can locate the reference to the beginning of the message and decode the rest of the fields following the known structure (Fig. 12) it shall identify several fields such as: (“TopDecryptedMessageRandomId”, “UnreadCount”, “With” “MessageCount” “DecryptedMessages”, etc.). It is worth looking at the

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

18

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

Fig. 20. Methodology comparison among different proprietary and open operating system and IM applications considering several metrics.

example shown in Fig. 13 and the human-readable format from Table 9. One can obtain the information from all the fields of DecryptedMessages, an array of one or more several messages (unique identifier of the message, unique identifier of the secret chat, identifier of the sender, “date”, “typemessage”, secret message, “status”, etc.) following the steps given in Subsection Obtain userto-user secret message information. Conclusions This study of “Telegram Messenger” using the proposed forensic analysis methodology illustrates the range of information that can be obtained in the different steps. Thus, it is necessary to study the open knowledge and analyse the source code in order to interpret the information extracted from the application artifacts, as in the case of the structures that store the data files. It is clear that the combination of the three steps used in the proposed analysis methodology is both necessary and complementary, not only because together they provide a comprehensive overview of how the information is structured in the application, facilitating analysis and traceability, but also because their use helps avoid dependence on forensic applications that may yield insufficient or erroneous information. The proposed methodology can be used to extract accurate and detailed information from the Telegram Messenger application. Furthermore, the methodology can be applied to different versions of the same application running over a different versions of Windows Phone. This has been evaluated by several forensic analysis on two different mobile devices with distinct versions of Telegram IM app and several operating systems.

In addition, Fig. 20 shows the different level of information provided by 5 forensic analysis techniques (Open Knowledge, Artifacts obtained from Physical Image, File System Artifacts, Source Code and Inverse Engineering). The graph axes ranges form 0 e no information up to 100 e full information. The value assigned to each method is an empirical one based on our experience. Using this model of graphic, it is possible to compare the general difficulty of different scenarios identified by the combination of Open or Proprietary Instant Messaging (IM) applications installed on Open or Proprietary Operating System (OS). So, we can say that the greater the surface area of a scenario the better the results of the forensic analysis obtained. This paper has applied the methodology over an Open IM/Open OS scenario, where the analyst can obtain large quantity of information from all different methods (Fig. 20 e blue lines); on the other hand, the quantity of information retrieved from an Open IM/Proprietary OS scenario (Fig. 20 e red lines, eg. Telegram on IOS) is lower because it is more difficult to apply the artifacts analysis. In contrast, for a Proprietary IM/Open OS scenario (Fig. 20 e green lines, eg. WhatsApp/Android), the largest source of information comes from artifacts analysis. Finally, in a Proprietary IM/Proprietary OS scenario (Fig. 20 e purple lines, eg. WhatsApp/ iOS), the forensic analysis information could be quite limited. Additionally, it is worth noting that the proposed methodology can be applied on other situations to improve their results reliability. For example, the work carried out by Cosimo Anglano (2014), where the author only provides a description of the information extracted from the direct analysis of the artifacts generated by WhatsApp Messenger, can be improved, both the reliability and information taking into account the available APK source code analysis.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004

J. Gregorio et al. / Digital Investigation xxx (2017) 1e19

It is worth mentioning that at the time of this study, commercial tools such as “UFED Physical Analyzer”, “Oxygen Forensics Analysis” and “Internet Evidence Finder” did not have the capacity to process information from “Telegram Messenger” for WP. For some mobile device versions, the program “UFED Physical Analyzer” did not recognise that the application was installed. This can generate analyses that omit information, since forensic analysts trust blindly in these tools that automate data extraction and forensic analysis. Given the above, it is evident that besides using various forensic tools to assist in the forensic analysis of digital evidence, it is necessary to apply a forensic analysis methodology for complete extraction of the information. In addition, these tools must be validated by the analysts themselves, since they are commercial or free and may omit information, as demonstrated in the case of “Telegram Messenger” for WP. Studies of this kind make a very important contribution, since they benefit open source tools such as “IM Analyzer”, facilitating the work of forensic analysts in the study of this kind of application. Likewise, scripts can be developed from this study, for example in “python”, to automate treatment of the information from the files studied, as in the case of the forensic tool “UFED Physical Analyzer”. Acknowledgments This work has been funded by the Police Sciences University Research Institute (IUICP) at University of Alcala through the project ref: IUICP-2016-001. References Anglano, Cosimo, 2014. Forensic analysis of whatsapp messenger on Android smartphones. Digit. Investig. 11 (3), 201e213. SpecialIssue: Embedded Forensics. Cellebrite, 2016a. Windows Phone Forensics - Physical Extraction and Decoding from Windows Phone Devices”. Available at: http://www.cellebrite.com/Pages/ windows-phone-forensics-physical-extraction-and-decoding-from-windowsphone-devices. Cellebrite, 2016b. LTD, Cellebrite Mobile Forensics. Available at: http://www. cellebrite.com/Mobile-Forensics. Clare Foges, November 2015. The Telegraph. “Why Is Silicon Valley Helping the Tech-savvy Jihadists?”, vol. 21. Anthony Cuthbertson. Yahoo news. “Isis Telegr. Channel Doubles Followers to 9,000 in Less than 1 Week”. 12 October 2015. Data structure of Telegram Messenger. Available at: https://core.telegram.org/

19

schema [accessed 4.10.2016]. ENFSI, November 2015. ENFSI-BPM-FIT-01. Best practice manual for the forensic examination of digital technology. Version 1. http://www.enfsi.eu/sites/default/ files/documents/enfsi-bpm-fit-01_1.pdf. Pamela Engel. Business insider. “One app maker has shut down almost 80 secret channels used by ISIS to communicate”. 18 November 2015. File location constructor. Available at: https://core.telegram.org/constructor/ fileLocation [accessed 15.11.2016]. Husain, Mohammad Iftekhar, Sridhar, Ramalingam, 2009. iForensics: Forensic Analysis of Instant Messaging on Smart Phones. In Digital Forensics and Cyber Crime. Springer Berlin Heidelberg, pp. 9e18. Husain, M., Sridhar, R., 2010. iForensics: forensic analysis of instant messaging on smart phones. In: Goel, S. (Ed.), Digital Forensics and Cyber Crime, vol. 31. Springer Berlin, Heidelberg. Lecture notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. International Data Corporation, 2016. Smartphone OS Market Share, 2016 Q3. Available at: http://www.idc.com/prodserv/smartphone-os-market-share.jsp. ISO/IEC, November 2012. 27037:2015. “Information Technology e Security Techniques e Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence”, vol. 15. Arjun Kharpal. CNBC. “Secretive Messaging App Used by IS Takes Down Posts”. 19 November 2015. Lundgren, Jenny, June 2015. Sinch! Blog. “Will Messaging Apps Kill Sms”. Available at: http://www.sinch.com/opinion/will-messaging-apps-kill-sms/”.18. Magnet Forensics, November 2014. Analyzing Windows Phone Artifacts with IEF, vol. 20. Internet Evidence Finder. Available at: https://www.magnetforensics. com/mobile-forensics/analyzing-windows-phone-artifacts-with-ief/. Magnet Forensics, 2016. Inc. Mobile Forensics. Available at: https://www. magnetforensics.com/mobile-forensics/. Mahajan, Aditya, Dahiya, M.S., Sanghvi, H.P., 2013. Forensic Analysisof Instant Messenger Applications on Android Devices arXiv preprintarXiv:1304.4915. Oxygen Forensics, 2016. Inc. Oxygen Forensics. Available at: http://www.ogygenforensics.com/en/. Steve Ragan. CSO online. “After Paris, ISIS Moves Propaganda Machine to Darknet”. 15 November 2015. Satrya, G.B., Daely, P.T., Shin, S.Y., 2016. Android forensics analysis: private chat on social messenger. In: Conference: the Eighth International Conference on Ubiquitous and Future Networks. (ICUFN 2016), Vienna, Austria. http:// dx.doi.org/10.1109/ICUFN.2016.7537064. At TU Wien. Source Code Application Telegram Messenger (Telegram for Android). Available at: https://telegram.org/apps [accessed 11.7.2017]. Source Code Application Telegram Messenger (Telegram for Windows Phone). Available at: https://telegram.org/apps [accessed 4.10.2016]. Statista, 2016. Global Mobile OS Market Share in Sales to End Users from 1st Quarter 2009 to 1st Quarter 2016. Available at: https://www.statista.com/statistics/ 266136/global-market-share-held-by-smartphone-operating-systems/. TL Language. Available at: https://core.telegram.org/mtproto/TL [accessed 15.11.2016]. User profile photo constructor. Available at: https://core.telegram.org/constructor/ userProfilePhoto [accessed 15.11.2016]. Victoria Woollaston. dailymail.co.uk. “The End of the Text Message? Mobile Chat Apps Overtake SMS for the First Time”. 29 April 2013.

Please cite this article in press as: Gregorio, et al., Forensic analysis of Telegram Messenger for Windows Phone, Digital Investigation (2017), http://dx.doi.org/10.1016/j.diin.2017.07.004