Telegram | DFIRHub

Appsv1

Author: Simone Marinari

description

Telegram Desktop

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Telegram
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Telegram app folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Telegram Desktop"
        Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_app_folder_$UserName"
        # Telegram downloaded files
        $UserPath = "$($_.FullName)\Downloads\Telegram Desktop"
        Collect-Artifact -SourceDir $UserPath -FolderName "Telegram_downloaded_files_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

› cyberchef recipes

URL Decode
Decode URL-encoded strings
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

digitalforensics.com https://www.digitalforensics.com/blog/forensic-analysis-instant-messengers-desktop-applications/

notes

Telegram desktop is the official windows client of the messaging platform.

The main difference with Whatsapp is the cloud capability, so if you need to recover chats but you don't have access to the smartphone, you can get all "active" contents from the desktop app.

You need to open the application and have an active internet connection to view all chats and media contents.

If you need to read a single conversation, select and then read it offline.

To export all data you must be online and run "Export Telegram Data" from : Settings->Advanced.

***FORENSIC CAUTION***: Be aware that you will be authenticated and you'll receive new contents and messages (with the "online" status)

***IMPORTANT NOTES***

It's not possible to recover messages from local cache/temp files because of encryption (it only works on old versions and there are few tools available)

You can't get "private messages" because they're not on cloud.

included in collections

SANS_Triage MessagingClients

// description

// paths

// collection commands

// references

// notes

// included in collections