Secure instant messengers employ various techniques to ensure secure communication for users, such as eavesdropping denial, data leakage prevention, and privacy protection. While robust data protection techniques are generally considered beneficial, they may interfere with evidence collection during digital forensics investigations. As this is a known fact, secure instant messengers are often used by criminals to conduct clandestine communications. Therefore, identifying potential ways to collect data from secure instant messengers is crucial for digital forensic investigations. We analyzed Wickr, a secure instant messenger, to determine possible data collection methods. We considered various cases that might be encountered during digital forensics investigations and listed the main data that can be collected for each case, much of which was encrypted, or the data for encrypting the data. We analyzed the collected data and the log-in process of Wickr in detail, through which we succeeded in logging in without knowing the password of the account used on the target computer, because the password was verified on the client, not the server, after the first login. Based on our analysis results, we showed that it is possible to log in to Wickr without password even from devices that have never been logged in, when certain conditions are met. It was performed through reverse engineering. Our results indicate that there may be various data collection methods for secure instant messengers from a digital forensics investigation perspective, and that more study is needed.
Read full abstract