Abstract
Instant messenger (IM) apps, which store a variety of behavioral information about users, such as secret chats, group chats, and file sharing, are important tools for digital forensics investigation. Messenger apps on mobile devices store user-friendly data, but data collection can be difficult due to various constraints. PC messenger data, on the other hand, can be collected relatively easily, but tend to be less informative than data from mobile messengers. Most messengers are cross-platform, supporting both mobile devices and PCs, and providing synchronization services, a situation which can overcome the constraints of data extraction for evidence acquisition. This allows for complementary interaction when extracting data generated by the use of IMs. However, some IMs encrypt their data for protection against external threats. The use of encryption can effectively protect the user's data, but poses a significant challenge to digital forensics, in which data should be decrypted to be used as evidence. Such IMs normally use a combination of key derivation functions and cryptographic algorithms to encrypt data. It is therefore necessary to identify the relationships between the functions used for encryption, in order to decrypt IM data, so that it can be used as evidence, and to determine the secret values used for generating keys. In this paper, we propose methods for acquiring user data, including conversation history protected by encryption by analyzing the Telegram X and BBM-Enterprise apps that perform in various mobile and PC operating environments. Both applications encrypt their databases using an SQLite extension module called SQLCipher. In order to decrypt these databases, we identified the parameters of SQLCipher, and derived a Passphrase, the main secret. In addition, We validated our approach by conducting an experiment to decrypt the encrypted databases of Telegram X and BBM-Enterprise.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call