Forensic Analysis of the ChatSecure Instant Messaging Application on Android Smartphones

摘要

We present the forensic analysis of the artifacts generated on Androidsmartphones by ChatSecure, a secure Instant Messaging application that providesstrong encryption for transmitted and locally-stored data to ensure the privacyof its users. We show that ChatSecure stores local copies of both exchanged messages andfiles into two distinct, AES-256 encrypted databases, and we devise a techniqueable to decrypt them when the secret passphrase, chosen by the user as theinitial step of the encryption process, is known. Furthermore, we show how this passphrase can be identified and extracted fromthe volatile memory of the device, where it persists for the entire executionof ChatSecure after having been entered by the user, thus allowing one to carryout decryption even if the passphrase is not revealed by the user. Finally, we discuss how to analyze and correlate the data stored in thedatabases used by ChatSecure to identify the IM accounts used by the user andhis/her buddies to communicate, as well as to reconstruct the chronology andcontents of the messages and files that have been exchanged among them. For our study we devise and use an experimental methodology, based on the useof emulated devices, that provides a very high degree of reproducibility of theresults, and we validate the results it yields against those obtained from realsmartphones.