Telegram Forensics

What is Telegram?

Telegram is a cloud-based instant messaging and voice over IP service launched in 2013 by the brothers Nikolai and Pavel Durov. According to the U.S. Securities and Exchange Commission, the number of monthly Telegram users as of October 2019 is 300 million people worldwide.1

Let’s go through some security features of Telegram Messenger 

  1. Secret chats. Telegram offers end to end encrypted communication in secret chats. Moreover, secret chat messages cannot be forwarded or screenshot. 
  2. Self-destruct timer. For those users who are overly concerned about privacy, secret chats offer self-destruct timers for messages as well. Any message can be permanently deleted starting from one second to one week. 
  3. Message deletion. In Telegram, users can not only delete their own messages but also the messages of their remote parties, even after they were viewed.
  4. Anonymity.  To chat with people in Telegram it is not necessary to share your phone number with them. Your username will be enough for people to find you in Telegram. However, the phone number is necessary for registration. 

Secret chats with self-destruct timers are present in some other secure messengers, like Wickr Me for example. So, what other features may attract users to Telegram?

  1. Cloud-based. Telegram is a cloud-based messenger, so all the data is immediately and conveniently synchronized between devices (such as, your mobile device and computer). For forensic investigators this feature means that cloud evidence might be a great alternative source of Telegram data in case they have no access to the user’s mobile device or computer. 
  2. Add people nearby. Telegram offers a unique feature called “Add people nearby”, which allows users to find people nearby who’ve also enabled this feature. You can chat with them, enter nearby groups, or read messages and contact details shared there. A potential benefit to investigations is the fact that these nearby chats are saved together with geo coordinates and can be extracted from mobile devices. 
  3. Сhannels. In Telegram, anybody can create a channel to transmit information like commercial deals, news, personal blogs, etc. Extracted channel information may give lots of insights about the user’s interests to the investigator, especially when channels publish illegal information.  
  4. More capacity. Telegram offers additional functionality that other Messengers lack, like the ability to create groups of 200,000 members and share files as large as 1.5 GB. As the criminal statistics show, not all groups are created with good intentions. 

With all the features mentioned it is no surprise that Telegram has become a top messenger mentioned in criminal news about terrorists, child abuse, cybercrimedrug trade, etc. 

Let’s have a look at how Oxygen Forensic Detective can help law enforcement to extract valuable evidence from Telegram.

Telegram running on mobile devices

Currently, we support Telegram data extraction both from Apple iOS and Android devices.

To extract complete Telegram data from Apple iOS devices you will need to have either a GrayKey image or a jailbroken device, including one jailbroken with checkra1n. Please note that Telegram data cannot be obtained from a non-jailbroken device, as it is not included in iTunes backup by the app manufacturer. The maximum amount of data that you can get from a non- jailbroken device will only data from cache. 

As for Android devices, it is recommended to have a physical dump to have access to the full Telegram data, but there is one exception. You can extract Telegram data including secret chats from Huawei backups if you have a Huawei device to investigate. 

Please note that deleted messages can be fully recovered and there is still a chance to partially retrieve self-destructed messages if they were wiped recently. 

The evidence set will include: 

  • Account details
  • Contacts
  • Private and group chats 
  • Calls 
  • Channels 
  • “Add nearby people” information with geo coordinates 
  • Polls
  • Cache 
Picture 1. Secret chat extracted from Huawei backup

Telegram from cloud

Oxygen Forensic® Cloud Extractor offers the ability to extract data from Telegram cloud using a phone number or a token extracted from Android devices or found by Oxygen Forensic® KeyScout on PC. The evidence set will include:

  • Authorization sessions
  • Contacts
  • Private and group chats
  • Calls
  • Channels data 
  • Polls 

Secret chats cannot be extracted from the cloud, so this is the only information you will miss if you acquire Telegram cloud data. 

Moreover, Oxygen Forensic® Cloud Extractor supports 2FA and offers investigators to configure PROXY settings if necessary.

Picture 2. Entering a phone number to access the Telegram cloud

Telegram from PC

There are several options to users on how to use Telegram on a PC– Telegram and Unigram. The first app can be downloaded and installed from the Telegram website. The second one, Unigram, is available from the Microsoft store. Moreover, there is a web version of Telegram that runs in a web browser. Oxygen Forensic® KeyScout supports the extraction of data from all of them.  

Telegram Desktop app stores no user data on the PC. However, Oxygen Forensic® KeyScout extracts a Telegram token both from a web browser and a Telegram Desktop app. This token can be used for cloud extraction. 

If Telegram was used in a web browser the KeyScout will collect some artifacts that you will be able to view in a Web Browser section in Oxygen Forensic® Detective. But do not expect much. You will only see the that Telegram was run in a web browser but no user data is extracted. 

As for Unigram, KeyScout collects the most complete evidence set: 

  • Telegram token to be used for cloud extraction 
  • Account information 
  • Contacts 
  • Group chats and channels
  • Calls
  • Chats including secret chats 

Moreover, if you run the KeyScout on macOS or Linux you will also be able to detect the Telegram Desktop token there too. 

Picture 3. Unigram data is collected on Windows PC

As you see, we at Oxygen Forensics offer you the most comprehensive solution for Telegram data extraction from all its possible sources – mobile devices, cloud and computers. Stay tuned for more updates! 

Leave a Reply

Your email address will not be published. Required fields are marked *