Investigating Android Telegram
14/07/2023 Friday
The Android Telegram app, developed by Telegram Messenger LLP, is a free messaging application known for its user-friendly interface and strong focus on security. With features such as text messaging, voice and video calls, media sharing, and group chats, Telegram offers comprehensive messaging experience. It employs end-to-end encryption for message privacy and allows users to set self-destruct timers for added security. The app also provides cloud-based storage for seamless access to chats across multiple devices. Additionally, Telegram supports bots and channels, enabling users to automate tasks and receive updates from their favorite content providers.
Digital Forensics Value of Telegram
Telegram, as a popular messaging app, holds significant value in digital forensics. With its widespread use and diverse features, analyzing the artifacts left behind by Telegram can provide valuable insights for forensic investigations. As an integral mode of communication, Telegram's messages, media files, and call records can offer crucial evidence in tracking and uncovering illicit activities. Forensic analysis of Telegram can aid in uncovering communication patterns, identifying involved individuals, and recovering deleted or encrypted data, thereby playing a vital role in digital investigations.
Location of Telegram Artifacts
Telegram artifacts are found in the following location:
data/org.telegram.messenger/files/
Analyzing Telegram with ArtiFast
This section will discuss how to use ArtiFast to extract Telegram from Android and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Telegram artifacts.
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Telegram artifacts in ArtiFast.
Android Telegram Chats
- Time - The date and time of the last message in the chat.
- Unread Count - The number of unread messages.
- Last Message ID - The ID of the last message in the chat.
- Pinned - Indicates whether this chat was pinned or not.
- Chat ID - The ID of the chat.
- Chat Name - The name of the chat.
Android Telegram Messages
- Time - The message creation date and time.
- Receiver’s Name - The name of the message recipient.
- Database Row ID - The row ID that holds the message record in the database.
- Reply Data - Message reply data.
- Message Text - The message body.
- Message ID - The message ID.
- Sender Name - The name of the message sender.
- Send State - Indicates whether the message was sent or not.
- Media - The message media.
- Message Direction - The message direction whether it was incoming or outgoing.
Android Telegram Users
- Time - The user status update Date.
- User ID - The user unique identifier.
- Name - The user name.
For more information or suggestions please contact: [email protected]
