5. ADDITIONAL DATA
5. ADDITIONAL DATA
In addition to mentioned earlier data on the “cache4.db” and “cache4.db-wal” files, it is useful to examine Telegram log files, in particular:
- “~\org.telegram.messenger\cache\voip_logs\*.log” – may contain information on an operating system, device make and model, even user’s IP addresses at different times;
Figure 35 Part of contents of the log file in the “~\org.telegram.messenger\cache\voip_logs” folder (the user's IP address follows the words “my IP”)
- “~\org.telegram.messenger\shared_prefs\com.google.android.gms.appid.xml” – contains information on Telegram version and its installation date;
Figure 36 Part of contents of the “com.google.android.gms.appid.xml” file.
- “~\org.telegram.messenger\shared_prefs\HockeyApp.xml” – contains information on Android device ID;
Figure 37 Contents of the “HockeyApp.xml” file
- “org.telegram.messenger\shared_prefs\userconfing.xml” - contains data on the last contacts synchronization time and Telegram version.
Figure 38 Part of contents of the “userconfing.xml” file
CONCLUSION
The reliability of the obtained results is ensured by the strictness of tasks’ statements and used methods.
The practical meaning of the obtained results is an ability to recover message-related data, contact list with information on them from SQLite databases and Telegram log files.
However, it is important to realize that Telegram is constantly updated and can be changed by developers, the obtained results are not exhaustive and require an individual approach in each case. For instance, even in case of the latest versions of the messenger, there may be fields with a structure of the main database (“cache4.db”) that was typical for previous versions.
REFERENCES
1. Boiko M. Examining of electronic correspondence of Telegram Messenger on Android phones: Seminar materials of Research specialists of Ministry of Interior of Ukraine (Ternopil, 27-28.10.2016) – 27 p.
2. Anglano C., Canonico M., Guazzone M. Forensic analysis of Telegram Messenger on Android smartphones / ScienceDirect – 2017. – 51 р. – Available at https://doi.org/10.1016/j.diin.2017.09.002.
3. Mahalik H., Tamma R., Bommisetty S. Practical Mobile Forensics. Second Edition / Packt Publishing Ltd. – 2016. – 394 р.
APPENDIX A
APPENDIX B
Results of searching for text messages, calls and user data from the test file “cache4.db”:
Method 1.
Method 2.
For comparison, the partial results of message-related searching in the “cache4.db-wal” test file with information on text messages that have been not included in the “cache4.db” database at the time of the evidence extraction:
[1] See the appendix A
[2] The “cache4.db” file has been viewing using SQLite Expert Personal 5.3.0.339 (© 2018 Coral Creek Software)
[3] In practice, there were 8-, 9-digit numbers or less, such as «777000» (in case of the “telegram” channel)
[4] For instance, if user sent/received 100000 messages/calls, then this number would be approximately the same.
[5] After convertation to hexadecimal, this number will be 16-digit.
[6] After convertation to hexadecimal, this number will be 16-digit with 8 zeroes at the end.
[7] See the Appendix B with results of searching for text messages, calls and user data from the test file “cache4.db”
[8] There is detected variations of initial 4 bytes of the “data” field in case of a group. Different databases from different Telegram versions can hold own “sets”.
[9] The list may not be exhaustive.
[10] It was possible to see «5f e4 9b c0» in previous Telegram versions (October 2016), «11 dc dd 90» (October 2017)
[11] It was possible to see «f9 55 55 55» in previous Telegram versions (October 2016) [1]
[12] For reference. A detailed analysis of data on transferred files was not perfomed.
[13] or the “\media\0\Android\data\org.telegram.messenger\cache” folder
