What is Telegram?
Telegram launched in 2013 and is a cloud-based instant messaging service, similar to WhatsApp and Facebook Messenger. What makes Telegram unique is its focus on privacy, encryption, and an open-source API. Today Telegram has over 550 million active users worldwide and is the 7th most downloaded app.
Table of Contents
- Telegram Security Features: Potential Hurdles to Your Investigation
- What’s New
Telegram Security Features: Potential Hurdles to Your Investigation
Telegram is so confident its messages can’t be deciphered that it’s actually running contests challenging users to try to crack its encryption for a $300,000 prize. But really how secure is it?
- Secret chats. Telegram offers end-to-end encrypted communication in secret chats. Moreover, secret chat messages cannot be forwarded or screenshot.
- Self-destruct timer. For those users who are overly concerned about privacy, secret chats offer self-destruct timers for messages as well. Any message can be permanently deleted starting from one second to one week.
- Message deletion. Users cannot only delete their own messages but also the messages of their remote parties, even after they are viewed.
- To chat with people on Telegram it is not necessary to share your phone number with them, your phone number is only necessary for registration. Other users can find you by your username.
- Cloud-based. Telegram is a cloud-based messenger, so all the data is synchronized between devices (such as your mobile device and computer).
- Add people nearby. Telegram offers a unique feature called “Add people nearby”, which allows users to find people nearby who have enabled this feature. You can chat with them, enter nearby groups, or read messages and contact details shared there. A potential benefit to investigations is the fact that these nearby chats are saved together with geo coordinates and can be extracted from mobile devices.
- Channels. In Telegram, anybody can create a channel to transmit information like commercial deals, news, personal blogs, and more. The extracted channel information may give lots of insights about the user’s interests to the investigator, especially when channels publish illegal information.
- More capacity. Telegram offers additional functionality that other Messengers lack, like the ability to create groups of 200,000 members and share files as large as 1.5 GB.
While any app can be targeted by the wrong people, Telegram’s secure reputation and lax moderation has also been known to attract criminals.
Latest Updates to our Telegram Extraction Methods
There was an update to Telegram extraction methods in v.15.5 of Oxygen Forensic® Detective.
- Telegram Exported Data Support
- Update to the Telegram Cloud
Telegram Exported Data Support
Telegram users can export some or all of their chats from Telegram, including photos and other media they contain. The saved data can be saved as a .json or a .html file. Starting with Oxygen Forensic® Detective version v.15.5, investigators can now import Telegram Exported Data directly into the software to promptly and thoroughly analyze the backup.
To do this, first, select “Telegram” under “Downloaded accounts data” in the home menu of Oxygen Forensic® Detective.
Then, select the backup in the opened window.
In the Import Wizard, you can fine-tune the import settings. Click “Import” as soon as everything is set.
As soon as the backup is parsed, the following data becomes available for review and analysis:
- Information about the user account;
- List of their contacts;
- Chats they have participated in. Please note that only messages sent by the account owner can be extracted from group and channel chats.
- Active sessions or connected devices;
- Attachments, including images, videos, files, video and voice messages, stickers, GIFs, and other files.
Please note that the exact scope of data depends on the backup itself.
New from Telegram Cloud
We have enhanced our support for Telegram cloud as well. Now, investigators armed with Oxygen Forensic® Detective can extract most recent chat events, chat topics, and collectible usernames from Telegram cloud.
Chat or channel owners have access to the page on which the most recent changes are listed and recorded up to 48 hours. These events include not only adding users, or deleting users, or changing the chat picture, but also records of messages being deleted or edited, including their previous versions.
Since this data might be forensically useful, it can now be extracted when authorizing in Telegram cloud under chat owner or administrator account.
Since Telegram groups can become huge, to help users keep track of all the messages, chat topics have been introduced. With this feature , separate chats called Topics under different names can be created within a group. Topics function as individual chats within the group – supporting their own shared media and notification settings.
In the new versions of Oxygen Forensic® Detective, the topics are extracted as well, aiding in the analysis of group chats.
Telegram users can contact each other or find public groups and channels via usernames. Collectible usernames, the ownership of which is secured by TON, can be assigned to accounts and public chats. They can also be bought and sold through a separate platform.
Users of the newest versions of Oxygen Forensic® Detective can extract the list of collectible usernames acquired by the account owner when extracting data from their Telegram Cloud.
Reactions to messages
Some emojis can be used as reactions to messages shared in chats and channels. While all reactions are available in private chats, their use in group chats and channels may be restricted. Telegram users utilize reactions to share their opinion on various matters without having to type their answer. These reactions that they used can now be extracted when acquiring data from Telegram Cloud.
Other Cloud Updates
Investigators, armed with the new version of Oxygen Forensic® Detective, can now also extract:
- Lists of the users that were blocked by the account owner and information about them;
- Requests to join groups and channels;
- Information about premium subscription to Telegram.
To extract data from the Telegram cloud, open Cloud Extractor from the home menu of Oxygen Forensic® Detective, fill in all necessary information about the extraction, and then locate Telegram within the list of available services.
Click on the app icon or select the “Add credentials” option to open the authorization window. As soon as credentials are entered and verified, the extraction process will begin.
Alternatively, investigators can prompt data extraction from Telegram Cloud from the “Accounts and passwords” section of an already analyzed device that has been used to access the Telegram account under investigation. To do this, select the “Extract with Cloud Extractor” option on the toolbar, and Cloud Extractor will open with the token already filled in.
Telegram Forensics: How to extract data from Telegram
Telegram is available on multiple platforms: iOS, Android, and PC. All secure chats are saved on the cloud and not on Telegram servers. To help law enforcement extract evidence from Telegram, Oxygen Forensics integrated tools in Oxygen , an all-in-one digital forensic solution, to help with extracting data from Telegram.
We will cover how to extract data from the app, cloud, and PC Telegram platforms using Oxygen Forensic® Detective.
Telegram Extraction Methods in Oxygen Forensic® Detective
Telegram App Extraction
Currently, Oxygen Forensic® Detective supports Telegram data extraction both from Apple iOS and Android devices.
To extract complete Telegram data from Apple iOS devices investigators will need to use the full file system extraction via checkm8.
Please note that Telegram data cannot be obtained from a non-jail-broken device, as it is not included in iTunes backup by the app manufacturer. The maximum amount of data that investigators can get from a non-jail-broken device is only data from the cache.
For Android devices, it is recommended to use the screen lock bypass or FFS extraction methods to have access to the full Telegram data. Deleted messages can be fully recovered, and there is still a chance to partially retrieve self-destructed messages if they were wiped recently.
The evidence set will include:
- Account details
- Private and group chats
- “Add nearby people” information with geo coordinates
Extract Telegram from the Cloud
For forensic investigators, Telegram being a cloud-based messaging platform means that cloud evidence might be a great alternative source of Telegram data in case they have no access to the user’s mobile device or computer.
Oxygen Forensic® Cloud Extractor offers the ability to extract data from Telegram cloud using a phone number , QR code, or a token extracted from Android devices or found by Oxygen Forensic® KeyScout on PC. The evidence set will include:
- Authorization sessions
- Private and group chats
- Channels data
Secret chats cannot be extracted from the cloud, so this is the only information investigators will miss if Telegram cloud data is acquired.
Oxygen Forensic® Cloud Extractor supports 2FA (two-factor authentication) and offers investigators the ability to configure PROXY settings, if necessary. See What’s New with Telegram Cloud extraction.
Extract Telegram from a PC
Both Telegram Desktop and Store versions for Windows and Linux do not store user data on the PC. However, Oxygen Forensic® KeyScout extracts a token from all the Telegram versions. This token can be used for cloud extraction.
If Telegram was used in the web browser, KeyScout will collect some artifacts that investigators will be able to view in the “Web Browser” section in Oxygen Forensic® Detective. With this tool investigators will only be able to see that Telegram was run in a web browser but user data cannot be extracted.
The full set of evidence is now possible to extract only from Telegram for macOS (Desktop and Store versions). Data will include:
- Chat folders
- Chats info
- Encrypted databases
- Reactions information