Digital Forensic Analysis of Telegram Messenger on Android Devices

Conference Paper (PDF Available) · October 2016with 4,868 Reads
DOI: 10.1109/ICTS.2016.7910263
Conference: 2016 International Conference on Information & Communication Technology and Systems (ICTS), At Surabaya, Indonesia
Cite this publication
Abstract
We provide a thorough description of all the artifacts that are generated by the messenger application Telegram on Android OS. We also provide interpretation of messages that are generated and how they relate to one another. Based on the results of digital forensics investigation and analysis in this paper, an analyst/investigator will be able to read, reconstruct and provide chronological explanations of messages which are generated by the user. Using three different smartphone device vendors and Android OS versions as the objects of our experiments, we conducted tests in a forensically sound manner.
Digital Forensic Analysis of Telegram Messenger
on Android Devices
Gandeva Bayu Satrya
Telkom Applied Science School
Telkom University
gbs@telkomuniversity.ac.id
Philip Tobianto Daely
IT Convergence Engineering
Kumoh National Institute of Technology
20156130@kumoh.ac.kr
Muhammad Arif Nugroho
Telkom School of Computing
Telkom University
arif.nugroho@telkomuniversity.ac.id
Abstract—We provide a thorough description of all the
artifacts that are generated by the messenger application
Telegram on Android OS. We also provide interpretation
of messages that are generated and how they relate to one
another. Based on the results of digital forensics investigation
and analysis in this paper, an analyst/investigator will be able
to read, reconstruct and provide chronological explanations of
messages which are generated by the user. Using three different
smartphone device vendors and Android OS versions as the
objects of our experiments, we conducted tests in a forensically
sound manner.
Index Terms—Android forensics, Telegram, remnant data.
I. INT ROD UC TI ON
Short Message Service (SMS) was a widely used service
in the 2G and 3G eras. However in the 4G era things have
changed; SMS is being abandoned, and there is a significant
increase in the number of social media and social mes-
senger applications. Social media applications and social
messenger applications are online media that can be used
by users for free, to share and exchange information in the
form of texts, images, and videos. Various social messenger
applications offer a wide variety of interesting features
such as text chat, group chat, message notifications, share
location, share contacts, status updates, and file sharing.
Based on data from November 30th 2015, the world’s
Internet users reached 3,366 billion with Asia in the highest
position [1]. A wide range of applications can be displayed
and accessed in accordance with the users wishes. This
perceived ease of internet access can lead to unlawful
acts. Law violation which utilizes computer technology
with Internet access is hereafter identified as cybercrime
[2][3][4]. Identity theft, transaction fraud, blackmailing, and
other types of criminal acts using computers/smartphones
are all considered as cybercrimes.
This paper describes an investigation into digital forensics
on social messenger applications on Android smartphones
[5]. These various types of messenger applications are avail-
able in Google PlayStore and can be downloaded for free.
There increased use makes understanding these applications
important. It is expected that this paper could help forensics
investigators / analysts in facing cybercrime cases which
utilize social messenger applications. The case study used
here is of the application Telegram. The contributions of
this paper can be summarized as follows:
1) We discuss the process of acquisition, analysis, and
interpretation of metadata obtained from Telegram.
2) Furthermore we show how the remnant data relate
to each other within the process from the acquisition
to the analysis, such as when the user carries out
the installation process, signup / in, add / delete /
block contact, message sending process (text, figures,
or voice), location/file sharing, sign out, and uninstall.
In section II we review existing work. In section III we
explain the methodology used in the analysis process. Then
in section IV, we explain in detail the process of forensics
analysis conducted in this paper. Finally, in section V, we
give the conclusions of this paper.
II. RE LATE D WOR KS
Husein et al. 2009 [6] studied and reported the forensic
analysis of three different instant messaging applications
(IMs): AIM, Yahoo! Messenger and Google Talk, (both
client based and web based versions) showing that various
useful artifacts related to IMs can be recovered from the
iPhone, including username, password, buddy list, last log-
in time, and conversation timestamp as well as conversation
details. Forensic examination of Instant Messaging on smart
phones such as the iPhone pose a new challenge for
investigators as well as researchers due to the uniqueness
of the file system.
Mahajan et al. 2013 [7] conducted forensic data analysis
of two widely used IMs on Android phones: WhatsApp
and Viber. The tests and analysis were performed with the
aim of determining what data and information can be found
on the devices internal memory for instant messengers e.g.
chat messaging logs and history, send & received images
or video files, etc. But this paper does not cover the details
about the found traces and evidence as it is limited to normal
chat scenario only.
Anglano [8] was able to reconstruct the list of contacts
and the chronology of messages that had been exchanged by
users. The correlation of the contents of the chat database
with the information stored in the log files allows the
investigator to determine which messages have been deleted,
when these messages were exchanged, and the users that
exchanged them. But the usage of any hash function is not
performed in this paper.
2016 International Conference on Information, Communication Technology and System (ICTS)
978-1-5090-1381-4/16/$31.00 ©2016 IEEE 1
In this paper, we conducted Android forensics on the in-
ternet messenger application Telegram. Three smartphones,
Xiaomi Redmi Note 1W Android version 4.4.2, Samsung
Galaxy Note II SHV-E250K Android version 4.4.2, and the
Samsung Galaxy S4 GT-i9500 Android version 4.3 were
used. By consistently using forensically sound principles,
we conducted acquisitions and analysis. The difference
between this paper and the previous one is that an offline
mobile forensics process was performed on user activities
(install, login, insert / update / delete contact, chat text,
multimedia chat, and location/file share), and log live mo-
bile forensics. To strengthen digital evidence legitimation in
court, SHA-1 was used as a hash value.
III. ANALYSIS METHODOLOGY
A. Identifying
Identifying is deciding which materials to use as digital
evidence, where said evidence is stored, and assessing the
impact of the activities that will be performed by the user
[9]. The role of the writer in this case is as a forensics
investigator / analyst. For this paper three smartphones were
used as objects of experimentation. These were Xiaomi
Redmi Note 3G, Samsung Galaxy Note II LTE, and Sam-
sung Galaxy S4. The social messenger application used as
a case study was Telegram version 3.4.2 for Android OS.
B. Preserving
This is the most vital process of digital forensics [9]. To
uphold the values of cyberlaw, it is of utmost importance to
record events or steps which will be performed on electronic
evidence. It is an absolute requirement that an investigator
has legitimate and justified experience or certification. It is
also of utmost importance that the research is conducted
in a forensically sound manner in order to minimize the
occurrence of data changes, and if changes do occur, it must
be explained and accounted for before the courts.
The acquisition process can only be conducted on a
rooted smartphone. The acquisition process in this research,
used Android Debug Bridge tool v1.0.32, SQLite Browser
v3.8.0, Busybox v4.1, Root Browser v2.2.3, Online Nan-
droid Backup v4.4.5, dex2jar v2.0, sha1sum (Linux Ubuntu
14.04) and Notepad++ v6.8.8.
C. Analyzing
Extraction, processing, and interpretation of digital evi-
dence is the most important element in the forensics analysis
[9]. From the digital evidence produced in the preservation
process, data cannot be directly read or directly taken. With
the help of tools that were mentioned before, we were able
to proceed to the analysis process. The analytical method
we used was to compare the database and directories before
user activities and after. If the hash value obtained changed
then deeper analysis of that file was performed. In addition
to offline forensics, we also used a live forensics log
as supplementary metadata / remnant data. Analysis and
testing was divided into five categories:
1) Application and user activity: install, signup, and sign
in
2) Contact information: adding, update, delete, blocking
contact
3) Messages exchanged: text (one to one and one-to-
group), multimedia (one to one and one-to-group), and
voice message
4) Sharing: file and location
5) Deleted communication: clear chat, sign out, and unin-
stall
D. Presenting
The main objective of digital forensics is to help prove
cybercrime in court [9]. Here we give the results from all
the activities of the mobile forensics that were performed.
Hopefully this guidance can be useful to researchers, inves-
tigators and forensics analysts, and cyberlaw practitioners.
IV. TEL EG RA M DIG ITAL FORENSICS
A. Research Preparation
The scope of this research was to determine the remnant
data in Android devices from the utilization of Telegram
messenger activities, such as: installation, sign up, sign
in, contact (add, update, delete, block), text chat (one to
one communication and one-to-group), multimedia chat
(one to one communication and one-to-group), sharing (file,
contact, location), history (clear history and delete chat), log
out, and uninstall. The first test took place on the Samsung
Galaxy Note II for a total of seventeen testing activities.
Then, Xiaomi Redmi Note 3G was used as a user-1 message
sender / receiver. The Samsung Galaxy S4 was used as a
user-2 sender / receiver which was useful for further testing
related to communication group.
To find the remnant data we used offline forensics (from
the backup file smartphones) and online forensics (from live
whilst the activities took place). Then to make sure that
obtained digital evidence would be accountable in court,
in each of these activities the hash value was taken using
SHA-1 check sum [4]. Then at the analysis step, the data
that was acquired was compared before and after each user
activity. If a different hash value was found, only then could
analysis be conducted. Then at the end the remnant data that
is generated by Telegram Messenger on Android devices is
presented, including file names, locations and contents.
B. Post-mortem Investigation
Fig. 1: Structure Telegram Forensics Analysis
2
Fig 1 shows the results of manual digging in this research.
Broadly speaking, Telegram Messenger has three important
files which are Telegram.apk, Directory storage files located
in the local memory of the smartphone, and databases
of all the activities to be carried out in further testing
and analysis. To simplify the analysis, the authors divided
this scenario into five broad scenarios branched out into
more specific sub scenarios. The scenarios are application
and user activity, contact information, messages Exchange,
sharing, and deleted communication. In each sub-section
there is a detailed description of any activities that were
performed by Telegram users.
1) Application and user activity: The smartphone was
in a rooted state, in which all previously mentioned tools
had been successfully installed. The chain of activities for
this research was first opening the Google Play Store,
conducting the installation process, then proceeding with
the sign up and sign in. Two methods were used, namely
online and offline forensics. In Table I are the results of the
online forensics that were obtained adb logcat. Timestamp
of obtained logcat could be used as digital evidence in court
later.
Fig. 2: Evidence user already signup
For the investigator to obtain user information regarding
who logged in along with the telephone number used for
the registration process, offline forensics is required. Offline
forensics was obtained using adb backup -all command.
Then it was analyzed with the help of Linux. The reason for
using Linux was for finding which files were changed and
to make the sorting process easier. As mentioned in section
Analysis Methodology we used the method of comparing
hash values prior and post activity. With this method, we got
information on which files were changed. After that analysis
was performed on the database of said changed file.
For the sign up activity the registered phone num-
ber is found in the database by performing analysis di-
rectly on \data\data\org.telegram.messenger\
files\cache4.db directory on the users table. As
shown in Fig 2, it can be seen clearly (without encryption),
the association between users who sign up and the phone
number that was already registered with the format userID,
full name with nickname, and a operator phone number
that was already registered. Furthermore in its database,
Telegram used BLOB to filter all data. As is written on the
Robo Realm website the purpose of using BLOB filters is
that it is reliable and dependable despite noisy background
[10]. We did not discuss filtering, because the focus of this
research was the analysis of mobile digital forensics.
Fig. 3: Evidence database users in table users
2) Contact information: The same method was used to
obtain metadata associated with contact information such
as: adding contacts, update contact information, delete, and
blocking contact. An online forensics log using logcat got
the information related to these activities as shown in Table
II. It could be used as a reference for investigators / analysts
in the search for digital evidence and in strengthening the
offline analysis.
As for offline forensics, the files are found in the same
database cache4.db but are displayed in different tables.
For contact information, Telegram stores in the user
table as in Fig 3 above. In the user table userID, name
(with nickname), status (the last seen status), and data
(SQLite will show the full name and number of the service
used by the user) will be seen. User information not
only exists on users table, but also in tables of user_
contacts_v6 (will look userID, forename, and surname)
and user_phones_v6 (will show userID, phone number,
and deleted).
The delete user scenario was correlated with user_
phones_v6 tables. In the delete column is shown 1which
means it has been deleted, or otherwise 0if the user is
still stored in contacts. For the blocking contact scenario, in
which before the activity the blocked_users table was
empty, after block has been conducted against the user (uid:
173080146), table blocked_users on cache4.db
the database is filled with the user id.
3) Messages exchange: In this scenario, there were three
sub-scenarios which were chat text, multimedia chat, and
voice messages. By using the adb logcat, information
regarding the chat text and multimedia along with the time
and date of the incident was obtained as displayed in Table
III. Everything is clearly visible for each activity that was
used including matching timestamp against cache4.db
database. The total number of logs is massive, and thus we
just take the most important ones.
3
If offline database forensics on cache4.db is con-
ducted, then on the table messages, there will be visible
all the information from particular users about chats that
have been done both on one-to-one or one-to-group com-
munication. Fig 4 is an example of the output text message
sent from userID 179433774 to groupID 58700220
along with the time it happened. Subsequent analysis that
can be obtained from here is the text that is displayed
in this table. This is unencrypted in plain text. Thus, the
investigator/analyst can search for remnant data information
related to chats that may have been used in cybercrime or
cyberterrorism.
Fig. 4: Evidence database messages in table messages
In addition to text chat, the authors also show evidence
related to multimedia chat conducted by the sender
(uid: 179433774) to the recipient (uid: 197761233).
In Fig 5 it can be seen that the sender has sent the
image named (along with its directory) /storage/
emulated/0/Android/data/org.telegram.
messenger/cache/2147483648_210001.jpg
and that it was copied to the /sdcard/Telegram/
TelegramImages/2147483648_210001.jpg.
Fig. 5: Evidence multimedia files during chating
Fig 6 shows digital evidence related to groups. It shows
remnant data information with the format of groupID (uid
58700220), group name (WENS Forensics), and data
(metadata format). If we look closer we see that the UID has
ten digits and the group ID has eight digits. However, the
number of digits will increase according to the number of
users enrolled in the Telegram server membership. The next
analysis is uid layout for groups, shown in the table chats.
Uid for users is shown in the table users of the database
cache4.db. Here we can also see the uid analysis for
Telegram itself which was used to broadcast messages from
a central server. Telegram itself uses uid 777000 or a 6
digit number. All chat data can be found on the messages
table. The main difference between one to one and group
chat is that one to one is only visible in common numbers
(10 digits) while the group chat has ”-” signs next to it,
as seen in Fig 4. Uid with the code ” -58700220” is for
the group, while uid with code 179433774 is for a single
user (sender).
Fig. 6: Evidence group name that already join
For the voice message scenario, we can obtain voice-
related files that are sent from the sender to the receiver
and vice versa. From Fig 7 it can be identified that the
Telegram Audio folder contains several files that are
related to voice chat with name.ogg file name format. If we
have an audio player that supports ogg files, it can be opened
directly. If not, we can use a converter such as, ogg to wav,
in which it will produce a file with the same file name but
different extensions such as 5_770662191127855105.
wav. Then it can be played in Windows Media Player with
the same sound quality and without encryption.
Fig. 7: Stored files by Telegram in local memory
4) Sharing: We divide this scenario into two sub-
scenarios which are file sharing (sender sends a file with
the extension PDF) and location sharing (sender sends the
position they are located). For the analysis of the live
forensics log, using ADB Logcat, a timestamp to the event
is shown in Table IV. As for offline forensics we used a
file that had been acquired and the same analysis was done
as for previous activities. Later on the files could be found
in the shared Telegram Documents folder as already
shown in Fig 7. In this case the sharing location was stored
in addition to a file in jpeg format. If the image is opened
it shows a map with the persons location indicated.
4
5) Deleted communication: This scenario is divided into
three sub-scenarios which are clear chat, logout, and unin-
stall. If clear chat is done on a particular user-1 then
blob value for said user is null, but said user-1 is still
displayed in the messages table. If delete chat is done on
user-1, then mid and uid from said deleted user will be
gone from the message table. Moreover, if there is a file
that has been sent, it will also erase the data alias within
the Telegram Documents folder (example). As for the
logout scenario, the database file cache4.db still exists,
but all the values of the table will be empty.
C. Discussion
This analysis provides a guide that can be used by digital
forensics investigators, forensics analysts, and that should
improve knowledge for cyberlaw practitioners in finding
remnant data on the application Telegram Messenger. In
Table V is a summary of all the results of post-mortem
investigations analysis detailed above. 1-1 is one to one
communication, while the 1-n is one to group commu-
nication. Seventeen scenarios were investigated. Numbers
1-14 were very easy to obtain, whereas for numbers 15-
17 log forensics and offline forensics had to be used
simultaneously. With log live forensics, the exact timing of
every activities were able to be obtained. This investigation
was performed with assumption that the smartphones have
not been turned off from the time of activity happening until
the time of investigation.
V. CO NC LU SI ON
Based on the post-mortem investigation that has been
done in five major scenarios (divided into seventeen smaller
scenarios) on Telegram Messenger 3.4.2 application on An-
droid devices, this paper details remnant data that could be
used as digital evidence in cybercrime cases. In some sce-
narios we also show the interpretation of existing databases
on contact and chat, both text and multimedia. The foremost
conclusion is that this research can be used as a reference
for forensics investigators and analysts relating to remnant
data searches in cybercrime cases. There are many other
Internet messenger applications that could be used in future
case studies, as well as platforms other than Android and
utilizing different vendors.
ACK NOW LE DG ME NT
This work was supported by Laharisi. This work was
supported by Forensics and Security Laboratory, Infor-
matics Engineering Telkom School of Computing, Telkom
University, Bandung, Indonesia. And also thank you for
WENS Laboaratory, Kumoh National Institute of Technol-
ogy, Gumi, South Korea.
REF ER EN CES
[1] Internet World Stats. World internet usage and population statistics
november 30, 2015 - update. http://www.internetworldstats.com/stats.
htm. Accessed: 2016-01-01.
[2] G.B. Satrya and S.Y. Shin. Optimizing rule on open source fire-
wall using content and pcre combination. Journal of Advances in
Computer Networks, 3(3):308–314, 2015.
[3] Gandeva B. Satrya, Niken D.W. Cahyani, and Ritchie F. Andreta. The
detection of 8 type malware botnet using hybrid malware analysis in
executable file windows operating systems. In Proceedings of the
17th International Conference on Electronic Commerce 2015, ICEC
’15, pages 5:1–5:4, New York, NY, USA, 2015. ACM.
[4] G. B. Satrya, P. T. Daely, and S. Y. Shin. Android forensics analysis:
Private chat on social messenger. In 2016 Eighth International
Conference on Ubiquitous and Future Networks (ICUFN), pages
430–435, July 2016.
[5] Andrew Hoog. Android forensics: investigation, analysis and mobile
security for Google Android. Elsevier, 2011.
[6] Mohammad Iftekhar Husain and Ramalingam Sridhar. iforensics:
forensic analysis of instant messaging on smartphones. In Digital
forensics and cyber crime, pages 9–18. Springer, 2009.
[7] Aditya Mahajan, MS Dahiya, and HP Sanghvi. Forensic analysis of
instant messenger applications on android devices. arXiv preprint
arXiv:1304.4915, 2013.
[8] Cosimo Anglano. Forensic analysis of whatsapp messenger on
android smartphones. Digital Investigation, 11(3):201 – 213, 2014.
Special Issue: Embedded Forensics.
[9] Rodney McKemmish. What is forensic computing? Australian
Institute of Criminology Canberra, 1999.
[10] Robo Realm. Blob filter. http://www.roborealm.com/help/Blob
Filter.php. Accessed: 2016-01-01.
5
TABLE I: Installation and sign up log activity
Activity logcat timestamp
Installing 02-02 14:28:54.128 4583 4583 D Finsky : [1] InstallerTask.advanceState: Begin install of org.telegram.messenger
Launch 02-02 14:29:23.058 4583 4583 D Finsky : [1] ReferrerRebroadcaster.onPackageFirstLaunch: Package first launch for
org.telegram.messenger
Sign up 02-02 14:29:33.495 6108 6108 D HockeyApp: Looking for exceptions in: /data/data/org.telegram.messenger/files
02-02 14:29:33.720 2504 2719 D ActivityManager: bindService callerProcessName:android, calleePkgName:
org.telegram.messenger, action: android.content.SyncAdapter
SMS Verification 02-02 14:29:37.188 2503 2727 I TIMA: tlc communication: Send Trustlet TCI Message
02-02 14:29:37.188 2503 2727 I TIMA: tlc communication: mcNotify is completed
Opening 02-02 14:29:38.443 2503 3069 D ActivityManager: startService callerProcessName:org.telegram.messenger, calleePkg-
Name: org.telegram.messenger
TABLE II: Contact information log activity
Activity logcat timestamp
Adding 02-02 17:37:34.049 4383 5006 D LPE ANALYZER:InactiveAppAnalyzer: a$c: 566 >AppUsageStatsVO [id=null,
appInfo=AppInfoVO [applicationLabel=Telegram, packageName=org.telegram.messenger, isUserApplication=true, hasLaunchIn-
tent=true, lastAppExecTime=Thu Jan 01 09:00:00 GMT+09:00 1970, lastServiceRunningTime=Thu Jan 01 09:00:00 GMT+09:00
1970, installedTime=Fri Aug 01 21:00:00 GMT+09:00 2008, numOfExecution=0, totalRunningTime=0, numOfNoti=0, avgMemIn-
Service=0, startGatheringData=null, endGatheringData=null], date=Tue Feb 02 00:00:00 GMT+09:00 2016, startDate=Mon Feb
01 15:33:02 GMT+09:00 2016, lastUsedTime=Tue Feb 02 11:30:37 GMT+09:00 2016, runningDays=2, pointForInactive=1.0,
startGatheringData=null, endGatheringData=null]
Updating 02-02 17:37:47.194 2504 2851 D ActivityManager: startService callerProcessName:org.telegram.messenger, calleePkgName:
org.telegram.messenger
Deleting 02-02 18:29:33.495 6108 6108 D HockeyApp: Looking for exceptions in: /data/data/org.telegram.messenger/files
Blocking 02-02 18:30:07.435 2489 2489 D PopupWindow: invokePopup: mPopupView = org.telegram.ui.ActionBar. Action-
BarPopupWindow$ActionBarPopupWindowLayout43540fa8 VFED.... ......I. 0,0-0,0, WindowManager.LayoutParams =
WM.LayoutParams(296,50)(wrapxwrap) gr=#10000033 ty=1000 fl=#860000 extfl=#0 fmt=-3 flagsEx=10007f
TABLE III: Chatting log activity
Activity logcat timestamp
Chat (S) Text 02-06 19:34:12.246 6089 6089 I dalvikvm: Could not find method org.telegram.ui.Cells.ChatBaseCell.onProvideStructure, refer-
enced from method org.telegram.ui.Cells.ChatMessageCell.onProvideStructure
Chat (R) Text 02-06 19:34:12.311 6089 6089 I dalvikvm: Could not find method android.app.Activity.checkSelfPermission, referenced from
method org.telegram.ui.Components.ChatActivityEnterView$8.onTouch
Chat (S) Image 02-06 19:36:01.221 6089 6089 I dalvikvm: Could not find method android.content.Context.checkSelfPermission, referenced from
method org.telegram.ui.Components.ChatAttachView.updatePhotosButton
Chat (R) Image 02-06 19:37:07.241 6089 6089 I dalvikvm: Could not find method android.app.Activity.checkSelfPermission, referenced from
method org.telegram.ui.PhotoViewer$2.onItemClick
Voice 1 02-06 19:37:38.996 6089 6089 V Vibrator: Called vibrate(long) API - PUID: 10212, PackageName: org.telegram.messenger
Voice 2 02-06 19:37:38.996 6089 6089 V Vibrator: vibrate - PUID: 10212, PackageName: org.telegram.messenger, ms: 20, mag: -1
Voice 3 02-06 19:37:39.001 2504 3089 D VibratorService: ImmVibe vibratorOff()
TABLE IV: Share location log activity
Activity logcat timestamp
share location 02-06 19:41:05.935 2446 2446 W dalvikvm: VFY: unable to resolve new-instance 21 (Landroid/animation/StateListAnimator;) in
Lorg/telegram/ui/LocationActivity;
02-06 19:41:05.940 2446 2446 W dalvikvm: VFY: unable to resolve virtual method 61: Landroid/app/Activity;.checkSelfPermission
(Ljava/lang/String;)I
02-06 19:41:05.943 2446 2494 D skia : jpeg decoder mode 1, config 6, w 296, h 526, sample 1, bsLength 906e!!
share file 02-06 20:14:36.968 2446 2446 D ListView: mSelectorRect.setEmpty in layoutChildren this=android.widget.ListView42697e58
VFED..CL ......ID 0,0-720,1118 #7f0c000d app:id/listView
02-06 20:14:37.148 2446 2446 D ListView: mSelectorRect.setEmpty in layoutChildren this=android.widget.ListView42697e58
VFED..CL .F....ID 0,0-720,1118 #7f0c000d app:id/listView
6
TABLE V: Guidance for finding remnant data on Telegram Messenger
No Activity Location Method
1 Installation \data\data\app\org.telegram.messenger-1.apk Offline & Online Forensics
2 Sign up / login \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
3 Adding contact \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
4 Update contact \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
5 Deleting contact \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
6 Blocking contact \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
7 1-1 Comm. Text \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
8 1-n Comm. Text \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
9 1-1 Comm. Multimedia \sdcard\Telegram\TelegramImages\*.jpg Offline & Online Forensics
10 1-1 Comm. Multimedia \sdcard\Telegram\TelegramImages\*.jpg Offline & Online Forensics
11 1-1 Voice Comm. \sdcard\Telegram\TelegramAudio\*.ogg Offline & Online Forensics
12 1-1 Voice Comm. \sdcard\Telegram\TelegramAudio\*.ogg Offline & Online Forensics
13 share file \sdcard\Telegram\TelegramDocuments\*[pdf|doc|zip] Offline & Online Forensics
14 share location \sdcard\Telegram\TelegramImages\*.jpg Offline & Online Forensics
15 clear chat \data\data\org.telegram.messenger\files\cache4.db Offline & Online Forensics
16 log out cache4.db database will becoming NULL Offline & Online Forensics
17 uninstall Only directory \sdcard\Telegram\*is exist Offline & Online Forensics
7
5ac23c030f7e9bfc045e536f.pdf
349.04 KB
  • Chapter
    Nowadays, mobile devices have evolved vertiginously due to their massive adoption by users, who have several devices with different purposes. These devices contain greater capacity/functionality to manage information, with the embedded characteristics they become an important digital evidence container. In recent years, considerable research has been conducted on various types of digital electronic evidence, acquisition schemes and methods of extracting evidence from mobile devices. In this paper, a systematic mapping of the Forensics Analysis on Mobile Device is presented; this research has been conducted following the guidelines of Kitchenham’s methodology. The aim of this study is to provide a background of relevant activities that are considered by investigators to handle with potentially useful digital evidence from mobile devices. A total of 36 primary studies were selected and categorized to extract information regarding the aforementioned classification. The results presented in this contribution provide a detailed study about current analysis in research forensics field by the use of mobile devices.
  • Article
    Full-text available
    In this paper we present a methodology for the forensic analysis of the artifacts generated on Android smartphones by Telegram Messenger, the official client for the Telegram instant messaging platform, which provides various forms of secure individual and group communication, by means of which both textual and non-textual messages can be exchanged among users, as well as voice calls.Our methodology is based on the design of a set of experiments suitable to elicit the generation of artifacts and their retention on the device storage, and on the use of virtualized smartphones to ensure the generality of the results and the full repeatability of the experiments, so that our findings can be reproduced and validated by a third-party.In this paper we show that, by using the proposed methodology, we are able (a) to identify all the artifacts generated by Telegram Messenger, (b) to decode and interpret each one of them, and (c) to correlate them in order to infer various types of information that cannot be obtained by considering each one of them in isolation.As a result, in this paper we show how to reconstruct the list of contacts, the chronology and contents of the messages that have been exchanged by users, as well as the contents of files that have been sent or received. Furthermore, we show how to determine significant properties of the various chats, groups, and channels in which the user has been involved (e.g., the identifier of the creator, the date of creation, the date of joining, etc.). Finally, we show how to reconstruct the log of the voice calls made or received by the user.Although in this paper we focus on Telegram Messenger, our methodology can be applied to the forensic analysis of any application running on the Android platform.
  • Conference Paper
    Secure messaging applications have been used for the purposes of major crime, creating the need for forensic research into the area. This paper forensically analyses two secure messaging applications, Wickr and Telegram, to recover artefacts from and then to compare them to reveal the differences between the applications. The artefacts were created on Android platforms by using the secure features of the applications, such as ephemeral messaging, the channel function and encrypted conversations. The results of the experiments documented in this paper give insight into the organisation of the data structures by both Wickr and Telegram, as well as the exploration of mobile digital forensics techniques to recover artefacts removed by the ephemeral functions.
  • Android forensics: investigation, analysis and mobile security for Google Android
    • Andrew Hoog
    Andrew Hoog. Android forensics: investigation, analysis and mobile security for Google Android. Elsevier, 2011.
  • Blob filter. http://www.roborealm.com/help/Blob Filter.php. Accessed
    • Robo Realm
    Robo Realm. Blob filter. http://www.roborealm.com/help/Blob Filter.php. Accessed: 2016-01-01.
  • Conference Paper
    Full-text available
    In this paper, we discuss remnant data from private chat, secret chat, and hidden chat in social messenger applications for Android. We explain all the artifacts which are produced by social messengers. We also provide interpretations of generated messages as well as how they relate to one another. Based on the investigation results of Android forensics and analysis in this paper, an analyst or investigator will be able to read, reconstruct, and present the chronology of the messages which have been created by the user. By using two smartphones with different brands and different Android OS versions as experimental objects, we conducted a digital investigation in a forensically sound manner.
  • Article
    Full-text available
    In accordance with current technological developments, such as the Internet of Things, Big Data, and 5G Technology that almost all of them are better in terms of infrastructure, faster in terms of bandwidth, and more technological savvy than previous technology. From all of these developments, there are positive and negative impacts. The positive impact certainly gives things that can help our daily lives even to do business. While the negative impact is the most feared thing in almost every country such as theft of intellectual property, financial fraud, damage of service network, etc. And that are all we know of cybercrime. NIDS (Network Intrusion Detection System) is a software application that can see deeper into the network to prevent suspicious activity such as malicious software or unauthenticated activity. The contribution of this paper is to provide a NIDS system that is more optimal and inexpensive in implementation because it uses Open Source Firewall of cyber-attacks. With additional features such as content and PCRE (Perl Compatible Regular Expressions) that are already known, can provide the optimization to the network security system of a company / campus. Based on the implementation and testing that has done, recommendations of new safe system and policy are provided for small or large corporate in implementing NIDS.
  • Conference Paper
    Full-text available
    Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using malwares. These infected computer are known as bot or zombie. These bot are controllable for the attacker through an infrastructure called Command and Control (C&C) server. In general, the spread of botnets Windows operating system as its main target in the form of executable file (.exe). Right now Windows have a massive number of application in the form of executable file and almost all of it doing connection to the Internet. So it make it very difficult to distinguish an executable file as a malware botnet or not. Therefore, to identify and detecting a malware botnet required malware analysis on Windows executable file. Many ways can be done in analyzing a malware. However, generally speaking there are two techniques in malware analysis. That is static analysis and dynamic analysis. By combining both the results of static analysis, dynamic analysis can produce data for detecting malware botnet in the executable files of Windows operating system that are Herpestnet, Ann Loader, mbot, Vertexnet, Athena, Elite Loader, Gbot, dan Cythosia.
  • Article
    Adam Graycar Director Developments in information technology have begun to pose new challenges for policing. Most professions have had to adapt to the digital age, and the police profession must be particularly adaptive, because criminal exploitation of digital technologies necessitates new types of criminal investigation. More and more, information technology is becoming the instrument of criminal activity. Investigating these sophisticated crimes, and assembling the neces-sary evidence for presentation in a court of law, will become a significant police responsibility. This paper provides an overview of the new law enforcement field of forensic computing. It is an abridged version of a report prepared by the author during his Donald Mackay Churchill Fellowship. Its publication here reflects the Australian Institute of Criminology's continuing role in informing policy makers and the public about complex criminal activity. T he application of computer technology to the investigation of computer based crime has given rise to a new field of specialisation—forensic computing—which is the process of identi-fying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable. It encompasses four key elements. 1. The identification of digital evidence is the first step in the forensic process. Knowing what evidence is present, where it is stored and how it is stored is vital to determining which processes are to be employed to facilitate its recovery. Whilst many people think of personal computers as the sole focus of forensic computing, in reality it can extend to any electronic device that is capable of storing information, such as mobile/cellular telephones, electronic organisers (digital diaries) and smart cards. In addition, the com-puter forensic examiner must be able to identify the type of infor-mation stored in a device and the format in which it is stored so that the appropriate technology can be used to extract it. 2. The preservation of digital evidence is a critical element in the forensic process. Given the likelihood of judicial scrutiny in a court of law, it is imperative that any examination of the electronically stored data be carried out in the least intrusive manner. There are circumstances where changes to data are unavoidable, but it is important that the least amount of change occurs. In situations where change is inevitable it is essential that the nature of, and reason for, the change can be explained. Alteration to data that is of evidentiary value must be accounted for and justified. This applies not only to changes made to the data itself, but also includes physi-cal changes that are made to the particular electronic device to facilitate access to the data.
  • Article
    Full-text available
    We present the forensic analysis of the artifacts left on Android devices by WhatsApp Messenger, the client of the WhatsApp instant messaging system. We provide a complete description of all the artifacts generated by WhatsApp Messenger, we discuss the decoding and the interpretation of each one of them, and we show how they can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation. By using the results discussed in this paper, an analyst will be able to reconstruct the list of contacts and the chronology of the messages that have been exchanged by users. Furthermore, thanks to the correlation of multiple artifacts, (s)he will be able to infer information like when a specific contact has been added, to recover deleted contacts and their time of deletion, to determine which messages have been deleted, when these messages have been exchanged, and the users that exchanged them.
  • Article
    This paper focuses on conducting forensic data analysis of 2 widely used IMs applications on Android phones WhatsApp and Viber. The tests and analysis were performed with the aim of determining what data and information can be found on the devices internal memory for instant messengers eg chat messaging logs and history send & received image or video files etc. The experiments and results show that heavy amount of potential evidences and valuable data can be found on Android phones by forensic investigators.
  • Conference Paper
    Smart phones with Internet capability are growing in popularity, due to many of their useful capabilities. Among other handy features of smart phones, Instant Messaging (IM) is very popular due to the level of convenience it provides in interpersonal communications. As the usage of IM on smart phone is increasing rapidly, it is important to take measures in advance from forensic standpoint forecasting the potential use of it in cyber crimes such as the cyber stalking and cyber bullying. Although, current IM applications for smart phones are in most cases a downsized version of the one used on traditional computers, diverse structure of file systems and storage device on different smart phones pose unique challenges to forensic examiners for recovering digital evidences of a conversation under investigation. In this work, we study and report the forensic analysis of three different IMs: AIM, Yahoo! Messenger and Google Talk, (both client based and web based version) on Apple iPhone. Our results show that the forensic analysis of IMs on smart phones has significant value and needs further attention.