Telegram Messenger Data Extraction In Oxygen Forensic Detective

Telegram is a cloud-based instant messaging and voice over IP service launched in 2013 by the brothers Nikolai and Pavel Durov. According to the U.S. Securities and Exchange Commission, the number of monthly Telegram users as of October 2019 is 300 million people worldwide. Let’s have a look at how Oxygen Forensic Detective can help law enforcement to extract valuable evidence from Telegram.

Telegram running on mobile devices

Currently, we support Telegram data extraction both from Apple iOS and Android devices.

To extract complete Telegram data from Apple iOS devices you will need to have either a GrayKey image or a jailbroken device, including one jailbroken with checkra1n. Please note that Telegram data cannot be obtained from a non-jailbroken device, as it is not included in iTunes backup by the app manufacturer. The maximum amount of data that you can get from a non- jailbroken device will only data from cache.

As for Android devices, it is recommended to have a physical dump to have access to the full Telegram data, but there is one exception. You can extract Telegram data including secret chats from Huawei backups if you have a Huawei device to investigate.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Please note that deleted messages can be fully recovered and there is still a chance to partially retrieve self-destructed messages if they were wiped recently.

The evidence set will include:

  • Account details
  • Contacts
  • Private and group chats
  • Calls
  • Channels
  • “Add nearby people” information with geo coordinates
  • Polls
  • Cache

Telegram from cloud

Oxygen Forensic® Cloud Extractor offers the ability to extract data from Telegram cloud using a phone number or a token extracted from Android devices or found by Oxygen Forensic® KeyScout on PC. The evidence set will include:

  • Authorization sessions
  • Contacts
  • Private and group chats
  • Calls
  • Channels data
  • Polls

Secret chats cannot be extracted from the cloud, so this is the only information you will miss if you acquire Telegram cloud data.

Moreover, Oxygen Forensic® Cloud Extractor supports 2FA and offers investigators to configure PROXY settings if necessary.

Telegram from PC

There are several options to users on how to use Telegram on a PC– Telegram and Unigram. The first app can be downloaded and installed from the Telegram website. The second one, Unigram, is available from the Microsoft store. Moreover, there is a web version of Telegram that runs in a web browser. Oxygen Forensic® KeyScout supports the extraction of data from all of them.

Telegram Desktop app stores no user data on the PC. However, Oxygen Forensic® KeyScout extracts a Telegram token both from a web browser and a Telegram Desktop app. This token can be used for cloud extraction.

If Telegram was used in a web browser the KeyScout will collect some artifacts that you will be able to view in a Web Browser section in Oxygen Forensic® Detective. But do not expect much. You will only see that Telegram was run in a web browser but no user data is extracted.

As for Unigram, KeyScout collects the most complete evidence set:

  • Telegram token to be used for cloud extraction
  • Account information
  •  Contacts
  • Group chats and channels
  •  Calls
  • Chats including secret chats

Moreover, if you run the KeyScout on macOS or Linux you will also be able to detect the Telegram Desktop token there too.

As you see, we at Oxygen Forensics offer you the most comprehensive solution for Telegram data extraction from all its possible sources – mobile devices, cloud, and computers. Stay tuned for more updates!

If you wish to try this functionality in Oxygen Forensic Detective request a fully-featured demo license here



Leave a Comment

Latest Articles