Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones
Cosimo Anglano, Massimo Canonico, Marco Guazzone
TL;DR
This paper analyzes how ChatSecure stores and encrypts data on Android devices, presenting techniques to decrypt and analyze user communications by extracting passphrases from memory.
Contribution
It introduces a method to decrypt ChatSecure databases by extracting the user passphrase from volatile memory, enhancing forensic analysis capabilities.
Findings
Encrypted databases can be decrypted if the passphrase is known or extracted.
Memory analysis allows passphrase recovery during device investigation.
The methodology is validated on emulated and real devices.
Abstract
We present the forensic analysis of the artifacts generated on Android smartphones by ChatSecure, a secure Instant Messaging application that provides strong encryption for transmitted and locally-stored data to ensure the privacy of its users. We show that ChatSecure stores local copies of both exchanged messages and files into two distinct, AES-256 encrypted databases, and we devise a technique able to decrypt them when the secret passphrase, chosen by the user as the initial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted from the volatile memory of the device, where it persists for the entire execution of ChatSecure after having been entered by the user, thus allowing one to carry out decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.