Wickr Me Messenger allows users to exchange end-to-end encrypted and content-expiring messages, as well as end-to-end encrypted video conference calls. Wickr Me was founded in 2012 by a group of security experts who wanted to implement new standards of data privacy that had been previously available only to military and intelligence operatives. All communications on Wickr Me are encrypted locally on each device with a new key generated for each new message, meaning that no one except Wickr Me users have the keys to decipher their content.
Oxygen Forensic® Detective has a long history of supporting data extraction from Wickr Me. Data parsing from Wickr Me was first added in version 9.2.1 in 2017. Since then, we have continuously updated our software, providing our customers with better and more comprehensive support of even the most secure services.
Using Oxygen Forensic® Detective v.14.1, investigators can extract data from Wickr Me using OxyAgent, our very own application designed for cases when an Android device cannot be connected to the investigator’s PC via usual methods or when physical data extraction is not supported. Before trying this method, make sure that the device under investigation fits the following criteria:
- The device should be unlocked.
- The device should be operated on Android 4.x or higher.
- It should be possible to insert an SD card or an OTG-adapter into the device.
- It should be possible to run third-party apps on the device.
To install OxyAgent, run Oxygen Forensic® Extractor from the Oxygen Forensic® Detective home screen, select the Android OxyAgent extraction of interest from the list of available Android data extraction types, and follow the instructions on the screen.
As soon as OxyAgent has been downloaded on the device, proceed to the “Extract third party application data” to extract Wickr Me data. Please note that accessibility services have to be activated on the device in OxyAgent settings since Wickr Me does not have built-in data storage methods. The features of accessibility services are required for moving across the menu, scrolling pages, and collecting data.
Automatic message unblock and screenshot permission are turned off in the app by default. Since it is essential for data collection, OxyAgent turns these features on before data extraction is started and restores upon its completion.
With OxyAgent, investigators can extract account information, user’s contacts, private chats with attachments, rooms (group conversations) with attachments, saved files, links, and calls from Wickr Me application.
Note: The Expiration Timer in Wickr Me sets the lifespan of every message from 6 hours to 6 days; after this allotted time, the message will disappear from the device. The expired messages cannot be extracted via OxyAgent. To acquire them, investigators will have to use a physical extraction method. Also, performing Wickr Me extraction via OxyAgent or opening the Wickr Me application leads to the automatic deletion of expired messages.
Investigators can fine-tune data extraction from Wickr Me using additional settings, enabling the investigator to:
- Save information about group participants.
- Save profile pictures during extraction.
- Save available attachments from chats.
- Extract saved items from group chats.
- Extract all private chats.
- Extract all group chats.
- Extract all messages.
We recommend using this feature when searching for specific data and time is of the essence. However, in other cases, it is always better to have a full scope of all available data.
To find out more about Wickr Me support in Oxygen Forensic® Detective, read one of our previous blog posts.