Configuration details, such as device names, are available from the database, which might be useful, for locating additional evidence.These can be viewed through a standard browser, like Google Chrome. The Attachments folder contains thumbnails and previews of the exchanged attachments.The resulting table would look somewhat like this: Signal Messages queried in DB Browser for SQLiteįeel free to browse the remaining tables yourself and let me know of any other queries you had found! Other Artefacts of Interest SELECT strftime ( '%Y-%m-%d %H:%M:%S' ,( received_at / 1000 ), 'unixepoch' ) AS Time, source AS Contact, CASE sourceDevice WHEN 1 THEN 'received' ELSE 'sent' END AS Direction, body AS Message FROM messages ORDER BY Time DESC Let us look at a common scenario and try to extract the message body, format the timestamp neatly, include the direction of the message flow and list the sender phone number. From a digital forensics perspective, the most interesting ones are undoubtedly the messages tables as these might hold some potential evidence about the case you are inspecting. In the current version, the database consists out of 24 tables. If your config.json looks like this, then the raw key, would be 0xb.40 Signal Messenger config.json DB Browser for SQLite The Database Structure As a key, you will have to specify 0x prefix + the key specified in the JSON dictionary located in the config.json und %appdata%\Signal\. At this step it is important to put the toggle right of the password field to raw key and set the encryption settings to SQLCipher 4 defaults. Simply fire up DB Browser for SQLite, navigate to the db.sqliteand you’ll be prompted to specify a password (see image below). For browsing the database under Windows I recommend using a recent version of DB Browser for SQLite, but pretty much any software that supports sqlcipher would do. It should be noted that this database is encrypted using sqlcipher, but don’t worry, the encryption key is conveniently located in the adjacent config.json file. ~/Library/Application Support/Signal/sql/db.sqlite
0 kommentar(er)
