Elsevier

Digital Investigation

Volume 22, September 2017, Pages 88-106
Digital Investigation

Forensic analysis of Telegram Messenger for Windows Phone

https://doi.org/10.1016/j.diin.2017.07.004Get rights and content

Abstract

This article presents a forensic analysis methodology for obtaining the digital evidence generated by one of today's many instant messaging applications, namely “Telegram Messenger” for “Windows Phone”, paying particular attention to the digital forensic artifacts produced. The paper provides an overview of this forensic analysis, while focusing particularly on how the information is structured and the user, chat and conversation data generated by the application are organised, with the goal of extracting related data from the information. The application has several other features (e.g. games, bots, stickers) besides those of an instant messaging application (e.g. messages, images, videos, files). It is therefore necessary to decode and interpret the information, which may relate to criminal offences, and establish the relation of different types of user, chat and conversation.

Introduction

The wide variety of forms of communication available today include voice calls, text messages, multimedia messages, emails, VoIP calls and instant messaging. Thanks to the development of fast data networks (e.g. WiFi, 3G, 4G) and the use of digital devices (e.g. smartphones, tablets, smartwatches), such communication is established immediately. In addition, specific functions have been developed to verify the information transmitted (e.g. text, images, videos, documents), facilitating user interaction. However, the speed at which these new technologies are changing and the high number of applications available whose primary function is instant messaging (IM), render it necessary to conduct detailed studies of this kind of application. Different platforms (mobile or desktop environments) host a wide range of applications whose main but not exclusive function is IM (e.g. Facebook Messenger, iMessage, Line, Signal, Snapchat, Tango, Telegram, QQ, Threema, Viber, WeChat, WhatsApp) (Husain et al., 2010).

Similarly, many other applications (e.g. POF, MeetMe, Wallapop) are not primarily intended for instant communication between users but nevertheless include this function. IM has become an essential means of communication used on countless occasions, far outstripping voice calls or text messages (SMS) (Lundgren, 2015, Woollaston, 2013). IM applications are no longer used solely for personal communication but are also increasingly employed in business and professional environments as a means of official communication, and as a vehicle for criminal acts such as threats, phishing, cyberbullying, grooming and terrorist propaganda (Ragan, 2015, Cuthbertson, 2015, Engel, 2015, Kharpal, 2015, Clare Foges, 2015).

This paper presents a new forensic analysis methodology is proposed and applied to the information generated by the mobile application “Telegram Messenger” for “Windows Phone” (WP), since no previous studies of the information stored by this IM application for this platform have been found in the literature.

Forensic analysts face various problems in relation to these applications, including constant upgrades and new features released with each new version (e.g. setting the frequency with which to delete messages on the recipient device, sending different file types, maximum size of files to send, voice calls via data or VoIP). There are several commercial forensic tools available that forensic analysts generally rely on to analyse the information generated by these applications; however, these tools do not always interpret all the information on the artifacts; they might produce false positives, or not cover the application or version in question). No single forensic tool covers all IM applications, or all of their features. Consequently, several of these tools are required in order to cover the full spectrum of mobile applications on the market. Unfortunately, many commercial tools base the range of applications they cover on the number of application downloads or even on client requests for the analysis of a specific application. Forensic analysts cannot afford to be limited by these constraints or to rely solely on the information processing capacity of these tools, since they may not identify all the applications installed or may only perform a rudimentary analysis of the information. Thus, none of the commercial forensic tools examined in the present study (Cellebrite, 2016a, Cellebrite, 2016b, Oxygen Forensics, 2016, Magnet Forensics, 2016) offered satisfactory support for “Telegram Messenger” for WP, rendering it necessary to analyse and interpret the data stored by this application.

The rest of this article is organised as follows. The pertinent literature on forensic analysis and digital security is discussed in the “Related work” section. Then, the proposed methodology and the steps to conduct the analysis are described in the “Methodology for Forensic Analysis” section. The data structure used in Telegram Messenger Application for Windows Phone is described in next section “Data structure of Telegram Messenger for Windows Phone”. The commercial and/or open source tools used and the results obtained are detailed in the “Forensic Analysis of data extracted from Telegram Messenger” section. Some use cases are shown in the “Forensic use cases” section and the paper ends with the “Conclusions”.

Section snippets

Related work

The “Windows Phone” operating system does not currently have a large market share (International Data Corporation, 2016, Statista, 2016), being far surpassed by others. However, its mere existence, the constant development of new applications and their potential use to commit criminal acts all render it necessary to conduct technical studies of mobile applications, since they may at some point be subject to forensic analysis. Few technical forensic studies have been conducted on the

Methodology for forensic analysis

The proposed methodology for extracting and processing information in a forensic analysis of an IM application consists of the three steps described below; these can be combined together to provide insight into the data and their interpretation.

  • 1.

    Open knowledge: A study of the various open data sources available, including technical studies, books, related blogs and others, to obtain information on the application. Depending on the case, this information should be verified by the forensic

Data structure of Telegram Messenger for Windows Phone

Before starting the analysis of Telegram Messenger for WP using the proposed methodology, this section is devoted to explaining how to interpret the data structure used by telegram application and how to parse the data obtained from an artifact according to the data structure.

Applying the open knowledge method, we have found out that the data structures are defined by means of “TL Language”, which consists of different object types (e.g. “User”, “Chat”, “Dialog”, “Participant”, “Photo”,

Forensic analysis of data extracted from Telegram Messenger

This section describes the forensic analysis of “Telegram Messenger” for WP, using the steps described in the proposed methodology.

Due to the different functionalities of IM applications, this paper focuses on those that form the subject of forensic analysis in criminal investigations, while also indicating how to interpret the information contained in the internal memory files of the devices. “Telegram Messenger” offers the typical functions of any instant messaging application. For the

Forensic use cases

This section illustrates the relation between the data structures described above, obtained following the study of open knowledge, artifacts and the source code, and located in different data files. The procedures for obtaining different types of information are described below.

Conclusions

This study of “Telegram Messenger” using the proposed forensic analysis methodology illustrates the range of information that can be obtained in the different steps. Thus, it is necessary to study the open knowledge and analyse the source code in order to interpret the information extracted from the application artifacts, as in the case of the structures that store the data files. It is clear that the combination of the three steps used in the proposed analysis methodology is both necessary and

Acknowledgments

This work has been funded by the Police Sciences University Research Institute (IUICP) at University of Alcala through the project ref: IUICP-2016-001.

References (27)

  • Cosimo Anglano

    Forensic analysis of whatsapp messenger on Android smartphones

    Digit. Investig.

    (2014)
  • Cellebrite

    Windows Phone Forensics - Physical Extraction and Decoding from Windows Phone Devices”

    (2016)
  • Cellebrite

    LTD, Cellebrite Mobile Forensics

    (2016)
  • Clare Foges

    The Telegraph. “Why Is Silicon Valley Helping the Tech-savvy Jihadists?”

    (November 2015)
  • Anthony Cuthbertson. Yahoo news. “Isis Telegr. Channel Doubles Followers to 9,000 in Less than 1 Week”. 12 October...
  • Data structure of Telegram Messenger. Available at: https://core.telegram.org/schema [accessed...
  • ENFSI

    ENFSI-BPM-FIT-01. Best practice manual for the forensic examination of digital technology

  • Pamela Engel. Business insider. “One app maker has shut down almost 80 secret channels used by ISIS to communicate”. 18...
  • File location constructor. Available at: https://core.telegram.org/constructor/fileLocation [accessed...
  • Mohammad Iftekhar Husain et al.

    iForensics: Forensic Analysis of Instant Messaging on Smart Phones. In Digital Forensics and Cyber Crime

    (2009)
  • M. Husain et al.

    iForensics: forensic analysis of instant messaging on smart phones

  • International Data Corporation

    Smartphone OS Market Share, 2016 Q3

    (2016)
  • ISO/IEC
    (November 2012)
  • Cited by (0)

    View full text