Wickr some forensics up!

What is Wickr

Wickr Messenger allows users to exchange end-to-end encrypted and content-expiring messages, and make end-to-end encrypted video conference calls. Wickr was founded in 2012 by a group of security experts who wanted to implement new standards of data privacy that had been previously available only to military and intelligence operatives.

According to the The Forrester New Wave™: Secure Communications, Q4 2018 report, Wickr is a leader among 10 select emerging technology companies. Wickr is regularly mentioned in various Internet sources as a secure messaging app. Let’s have a look at these secure features.

The first, one that often makes it stand out among other Messengers, is the ability to be anonymous. Registration is done via username, and a phone number is not necessary. Contacts can be gathered through sending invitations to phonebook contacts.

The second, and in fact the most important feature, is message expiration. There are two expiration settings in Wickr. The first one is called the Expiration Timer that sets the life span of every message from 6 hours to 6 days; after this allotted time the message will disappear from the device. The second option is called Burn-On-Reader Timer that can be set from 3 seconds to 6 days. It sets the amount of time after a recipient views the content before it is destroyed on the receivers device. The time starts counting as soon as content is marked as “read” but will never extend the life of the content beyond the destruct time determined by the “Expiration” value. In both cases the Expiration Timer and Burn-On-Reader Timersettings can be also custom.

Bad news for investigators – all the user content is really wiped from the device after it expires so there are no traces to recover them currently.

Expiration Timer in Wickr

Among other secure features of mention there is also screenshot detection. This feature can inhibit the recipient of making a screenshot of the transferred information. Furthermore, all data is (at rest and transit) encrypted with AES256. As if this was not secure enough, if “Require Authentication” option is enabled the messenger will ask for a password every time a user opens it.

There are several types of Wickr – Wickr Me for home users and Wicr Pro for businesses. Oxygen Forensic Detective focuses on the home user version.

With all the security features mentioned it is no surprise that Wickr was reported to be a preferred tool by Islamic State (IS) as well as by drug dealers and users sharing child abuse images.

We at Oxygen Forensics do our best to extract the maximum amount of evidence even from this challenging app. So what can we can do with Wickr Me.

Wickr Me running on mobiles devices

Currently we do not support Wickr extraction from Apple iOS devices as the encryption key is stored in the inaccessible part of keychain but we are planning to add access to it and implement Wickr iOS decryption in an upcoming version. However, Oxygen Forensic® Detective fully supports Wickr Me decryption from Android devices acquired via physical extraction. The extracted evidence set will include account information, contacts, calls, private and group messages but only for a maximum 6 days.

Wickr data extraction from Android device

Wickr from the cloud

Oxygen Forensic® Cloud Extractor offers the exclusive ability to extract data from Wickr cloud via username\password or token extracted from Android device (Please note that Wickr cloud has no 2FA). The evidence set will vary depending on the authorization method.

If username and password are used the software will only extract the account information, connected devices and contacts.

If the Wickr token is available from the extracted data of the Android device or found on PC by our Oxygen Forensic® KeyScout it will give also access to chats (maximum for the last 6 days), shared coordinates and calls. This wider access can be explained by the fact that chats are bound to the particular devices so only using a token gives access to them from the cloud.

Please note that you can access both Wickr Me and Wickr Pro accounts in our Oxygen Forensic® Cloud Extractor.

Authorization in Wickr cloud

Wickr from PC

Oxygen Forensic® KeyScout can collect both user data and credentials from Wickr Me installed on Windows-based PC. The Messenger data is encrypted and the app has a password that is used for encryption. Oxygen Forensic® KeyScout offers several methods of decryption. User data will be decrypted if:

  • If any password found by KeyScout on PC fits the one to Wickr Me.
  • A password to access the Messenger was saved in the app.
  • If during data collection the app was running.

Extracted evidence set will include the account info, contacts, calls, private and group messages with attachments and the token. Please note that due to the Wickr expiration feature messages within maximum 6 days can be extracted. There are certain cases where we can extract older messages. For example, if a message was sent 15 days ago but Wickr Messenger was not launched for 10 days the older messages are available for extraction by KeyScout. However, once the app is open, and the password for Wickr is entered, the app will wipe these expired messages from its databases.

Wickr Me data collection by KeyScout

As you see from the information in Image 4, Wickr Messenger extraction is often challenging. The main challenges are:

  • message expiration that cannot be overcome
  • data encryption that often changes.
  • data bound to the device means a token is needed and without that little data can be extracted from the cloud service.

Do not panic! Oxygen Forensics Inc. will do our best to have you covered.

2 thoughts on “Wickr some forensics up!

Leave a Reply

Your email address will not be published. Required fields are marked *