A study on the decryption methods of telegram X and BBM-Enterprise databases in mobile and PC

作     者：Kim, Giyoon Park, Myungseo Lee, Sehoon Park, Younjai Lee, Insoo Kim, Jongsung 

作者机构：Kookmin Univ Dept Financial Informat Secur 77 Jeongneung Ro Seoul 02707 South Korea Kookmin Univ Dept Informat Secur Cryptol & Math 77 Jeongneung Ro Seoul 02707 South Korea Prosecutors Off Digital Invest Div 157 Banpo Daero Seoul 06590 South Korea 

出 版 物：《FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION》 (For. Sci. Int: Dig. Investigation)

年 卷 期：2020年第35卷

核心收录：

主　　题：Telegram X Unigram BBM-Enterprise Database decryption Instant messenger 

摘      要：Instant messenger (IM) apps, which store a variety of behavioral information about users, such as secret chats, group chats, and file sharing, are important tools for digital forensics investigation. Messenger apps on mobile devices store user-friendly data, but data collection can be difficult due to various constraints. PC messenger data, on the other hand, can be collected relatively easily, but tend to be less informative than data from mobile messengers. Most messengers are cross-platform, supporting both mobile devices and PCs, and providing synchronization services, a situation which can overcome the constraints of data extraction for evidence acquisition. This allows for complementary interaction when extracting data generated by the use of IMs. However, some IMs encrypt their data for protection against external threats. The use of encryption can effectively protect the user s data, but poses a significant challenge to digital forensics, in which data should be decrypted to be used as evidence. Such IMs normally use a combination of key derivation functions and cryptographic algorithms to encrypt data. It is therefore necessary to identify the relationships between the functions used for encryption, in order to decrypt IM data, so that it can be used as evidence, and to determine the secret values used for generating keys. In this paper, we propose methods for acquiring user data, including conversation history protected by encryption by analyzing the Telegram X and BBM-Enterprise apps that perform in various mobile and PC operating environments. Both applications encrypt their databases using an SQLite extension module called SQLCipher. In order to decrypt these databases, we identified the parameters of SQLCipher, and derived a Passphrase, the main secret. In addition, We validated our approach by conducting an experiment to decrypt the encrypted databases of Telegram X and BBM-Enterprise. (C) 2020 Elsevier Ltd. All rights reserved.