Forensic Analysis of Instant Messengers: Decrypt Signal, Wickr, and Threema

• We presented a methodology for analyzing the decryption algorithm of instant messenger. We extracted data from both unrooted and rooted devices and performed static and dynamic analysis on messenger applications.
• We decrypted all encrypted files of Signal, Wickr, and Threema. Compared to previous studies, our study found a new decryption algorithm, expanded the range of decryptable files, and corrected outdated parameters.
• We described the decryption algorithms in detail and have released all decryption scripts through GitHub(this repository).

• We found a way to acquire INTERNAL data through the “Messenger Backup Migration”.
• We described the data extraction process in detail in our paper.

We use python3 to all scripts and write description based on our paper.

• Signal's decryption process is described in Table 2.
• We developed an APP that can steal the key of Signal’s Android Keystore. This app can do Step1 process. With the decrypted pref_database_encrypted_secret output from the app, we can decrypt the database.
• signal_getMultimedia.py can do Step2 and Step3 process and extract the multimedia decryption key. This file requires output from the app.
• signal_log_decrypt.py can do Step4 process and extract the log decryption key. This file requires output from the app.

• Wickr's decryption process is described in Table 4.
• Wickr_getDBKey.py can do Step1~3 process and extract the database decryption key.
• Wickr_getMultimedia.py can do Step4 process and extract the multimedia decryption key.
• wickr_prefs_decrypt.py can do Step1 and Step5 process and extract the preference decryption key.

• Threema's decryption process is described in Table 8.
• threema_DB_decrypt.py can do Step1 and Step2 process and extract the database decryption key.
• threema_getMultimedia.py can do Step3 process and extract the multimedia decryption key. This file require the key from Step2.

All these 3 messenger use SQLCipher, so we need PRAGMA values to success decryption. We listed PRAGMA values in Table 9.

Whenever the decryption algorithm of these messengers changes, we will leave a note here.

• 2021.09.23 First commit
• 2021.12.26 Add description(code not changed)
• 2022.01.10 Correct some mistakes on Wickr. Algorithm not changed.