Last month we released Oxygen Forensic® Detective v.13.1, the latest version of our all-in-one forensic solution. With this update, we have introduced new extraction methods for several applications, most notably, Signal Messenger.
Signal Messenger is a free and secure messaging app that provides end-to-end encrypted communication for millions of people around the world. Users have the ability to send and receive high-fidelity pictures, videos, and participate in voice and video calls.
What can we extract?
Oxygen Forensic® Detective v.13.1 provides investigators with access to backups including the following Signal Messenger data:
⦁ User account information
⦁ Phonebook contacts
⦁ Signal contacts
⦁ Private and group chats
⦁ Saved stickers
Investigators can acquire this data through two ways:
⦁ Entering the corresponding encryption code
⦁ Creating a new backup copy and saving it with a new encryption code
NOTE: The Signal backup encryption code is a passphrase consisting of 30 characters.
If a backup copy has already been created, but the passphrase is unknown, Oxygen Forensic® Detective will delete the backup copy encrypted with the unknown code and create a new one. In this case, the user data in the app’s database will not be altered and will remain the same; however, the previously created local chat backups will be deleted from the device.
NOTE: Once the newly created backup is created, it will remain on the device with a new code that is unknown to the account owner. Therefore, the investigator will be asked to disable the backup feature once the extraction is complete and the newly created backup is deleted. To disable the backup feature, the investigator must enter the mobile device and disable it through the Signal Messenger app.
Working with Backups in OxyAgent
To start, OxyAgent will scan the device for saved Signal backups and return the search results before extraction. Depending on the result, the investigator is offered several potential scenarios.
If backups are detected on the device, we suggest to either save the existing backups or to create a new backup in addition to the existing one, depending on the presence of a passphrase. Both options will include all current Signal data.
Investigators have the option to enter the passphrase from the existing backup into the OxyAgent interface or Oxygen Forensic® Detective after importing the backup file. If the known passphrase is entered in OxyAgent, it can be validated by checking the “Validate backup passphrase” box before the extraction starts. This process will ensure that the passphrase entered in OxyAgent is the correct passphrase corresponding to the Signal account.
If existing backups are detected and the investigator enters the correct passphrase, no further validation is necessary. The backups can be extracted without having to enter the passphrase into the Signal app itself.
If a backup was detected, but the passphrase is unknown, we recommend deleting the old backup with the previous passphrase and creating a new one encrypted with a new passphrase. User data will remain the same, but previously created backups will be deleted, as mentioned earlier.
Since the new backup will be encrypted with a new passphrase, which cannot be accessed by the account owner, it is suggested to leave the default check box to delete the backed up data and disable the Signal app’s backup function once the extraction completes.
If no backups are found on the device, the investigators can create a new one.
Since it’s impossible to detect whether the backup feature was enabled before starting the extraction, investigators can select the option to not disable backing up, so that the current passphrase remains valid. Thus, a new backup will be created and encrypted with the existing passphrase, which can then be entered into Oxygen Forensic® Detective after the import.
If the user has not entered the passphrase in OxyAgent at the extraction of the existing backups, they will be asked to enter it in the Signal section of Oxygen Forensic® Detective to decrypt data.
Once the passphrase is entered successfully, the backup will be decrypted and ready for further investigation.