Abstract
As organized criminals use instant messengers, it becomes increasingly important to obtain digital evidence from instant messengers. Recently, instant messengers apply end-to-end encryption, so all digital evidence can only be obtained from your mobile device. However, some instant messengers encrypt and store database and multimedia files, making forensic analysis of mobile devices difficult. In this paper, we present a methodology for analyzing the decryption algorithm of the messenger, and apply this methodology to Signal, Wickr, and Threema. We extracted data from both unrooted and rooted devices and performed static and dynamic analysis. As a result, we succeeded in decrypting all the encrypted database, multimedia, log, and preferences files of three messengers. We describe the decryption algorithms and disclose all decryption scripts.
•We presented a methodology for analyzing the decryption algorithm of instant messenger. We extracted data from both unrooted and rooted devices and performed static and dynamic analysis on messenger applications.•We decrypted all encrypted files of Signal, Wickr, and Threema. Compared to previous studies, our study found a new decryption algorithm, expanded the range of decryptable files, and corrected outdated parameters.•We described the decryption algorithms in detail and have released all decryption scripts through Github.