Hey guys,
I have some Android phone extractions with Signal. Both extractions come from phones belonging to the same target.
Phone 1 Samsung SM-G950W, Android 8.0, Signal version 4.35.3
Phone 2 Samsung SM-G950W, Android 7.0, Signal version 4.21.6
Both phones were acquired by Cellebrite CAS, so I have full file system extractions.
My problem that there is Signal data on the phone and I would like to extract it, but the DBs are encrypted.
I've processed the extractions with UFED PA 7.33 and Oxygen 12.4. Neither was able to decrypt the data.
I'm trying to find a way to decrypt the DB manually, but the encryption keys on Android are not stored the same way as on iOS.
I've read a bit on Signal on Android to figure out how to do so. This paper on the matter is very interesting (http//
Here is what I've tried so far
- I've extracted the "org.thoughtcrime.securesms" folder from /userdata/Root/data/.
- I've extracted the ".10244_chr_USRSKEY_SignalSecret" file from /data/misc/keystore/user_0/. This file should contain the
crypto key to encrypt the DB encryption key.
- In the "org.thoughtcrime.securesms/shared_prefs/org.thoughtcrime.securesms_preferences.xml", the following line should be
the hashed value in Base64 and the IV of the DB encryption key
<string name="pref_database_encrypted_secret">{&quot;data&quot;&quot;uPPbhy85Up1TIQopkcB1Npi+cgU5+OmYPyzWTXjxfdQEJYYcNASydFdlIakV7gBU&quot;,&quot;iv&quot;&quot;asXdp26Envk2IcmU&quot;}</string>
- Tried converting the above hash to hex, then using an AES to decrypt the hash using "asXdp26Envk2IcmU" as an init vector
and the hex content of the ".10244_chr_USRSKEY_SignalSecret" as the key.
Does not work. It says that the key is not the right size nor is the IV.
Now I'm not sure what to do next.
Does anybody have any idea what am I missing?
Thanks