Set of tools and documentation files for Telegram Desktop artifacts investigation.
Last tested with Telegram Desktop v4.11.7.
Requirements:
- Python 3.x
- Windows OS
The tools provided in this repository are part of a general forensic workflow for the analysis of local Telegram Desktop artifacts:
- Perform a disk acquisition using forensic tools and methods (t is sufficient to acquire the Telegram Desktop folder, usually located at
C:\Users\<USER>\AppData\Roaming\Telegram Desktop
). - If a local passkey for Telegram Desktop has been set:
- Use telegram2john.py to parse the file key_datas
- Use John the Ripper password cracker to crack the passkey using the previous output (this could require some time)
- If a local passkey has not been set (or if the passkey is already known):
- Use TDF Decryptor to decrypt TDF files (see TDF file structures for the detailed file structures)
- Use telegram-cache-decryption to decrypt cache files (user_data folder) and use TGD Cache Parser to parse small files (less than 10MB) from the decrypted binary files. To deserialize bigger files, use telegram-media-deserialize
A Python tool that allows to parse the Telegram Desktop cache once decrypted using telegram-cache-decryption by lilydjwg.
Note: file headers and extensions are hard-coded in the source code. Feel free to add/modify any file type.
Usage: python tgd_cache_parser.py -p DECRYPTED_CACHE_PATH -o OUTPUT_PATH
A Python tool that allows to decrypt TDFs (Telegram Desktop Files) contained in the tdata folder of Telegram Desktop.
A set of XML file structures describing the different TDF files is also available in TDF file structures.
Note: the local passkey for Telegram Desktop must be known to decrypt TDFs.
Contributions: main functions are adapted from telegram-cache-decryption by lilydjwg and TelegramDesktop_Decrypt by Py0zz1.
Usage: python tdf_decryptor.py -p Telegram_Desktop_FOLDER_PATH -o OUTPUT_PATH -k LOCAL_PASSKEY
Requirements:
- tgcrypto