Forensic analysis of Telegram Messenger on iOS smartphones

Abstract

As mobile messengers have dominated and penetrated our daily communication and activities, the odds of them being involved in criminal activities have increased. Since each messenger usually uses its own proprietary data schema (including encoding, encryption and frequent updates) to store communication data, with a pressing demand, investigative authorities require a solution to transfer the data in a processable structure to analyse it efficiently, especially in a forensic context. Therefore, this work identifies and examines locally stored data of the Telegram Messenger with high forensic value on iOS devices. In particular, this work deals with extracting contact and communication data to link and analyse it. For this purpose, artificially generated test data, as well as the open source code of the Telegram Messenger under iOS, are analysed. The main focus of this work lies on the primary database in which a large part of data is coded and, therefore, needs to be transferred into an interpretable form. In summary, this work enables a manual or automated analysis of Messenger data for investigative authorities and IT companies with forensic reference. The proposed method can also be adapted in research to analyse further instant messaging services.