Set of tools and documentation files for Telegram Desktop artifacts investigation.
Last tested with Telegram Desktop v4.11.7.
Requirements:

• Python 3.x
• Windows OS

The tools provided in this repository are part of a general forensic workflow for the analysis of local Telegram Desktop artifacts:

1. Perform a disk acquisition using forensic tools and methods (t is sufficient to acquire the Telegram Desktop folder, usually located at C:\Users\<USER>\AppData\Roaming\Telegram Desktop).
2. If a local passkey for Telegram Desktop has been set:
   • Use telegram2john.py to parse the file key_datas
   • Use John the Ripper password cracker to crack the passkey using the previous output (this could require some time)
3. If a local passkey has not been set (or if the passkey is already known):
   • Use TDF Decryptor to decrypt TDF files (see TDF file structures for the detailed file structures)
   • Use telegram-cache-decryption to decrypt cache files (user_data folder) and use TGD Cache Parser to parse small files (less than 10MB) from the decrypted binary files. To deserialize bigger files, use telegram-media-deserialize

A Python tool that allows to parse the Telegram Desktop cache once decrypted using telegram-cache-decryption by lilydjwg.
Note: file headers and extensions are hard-coded in the source code. Feel free to add/modify any file type.
Usage: python tgd_cache_parser.py -p DECRYPTED_CACHE_PATH -o OUTPUT_PATH

A Python tool that allows to decrypt TDFs (Telegram Desktop Files) contained in the tdata folder of Telegram Desktop.
A set of XML file structures describing the different TDF files is also available in TDF file structures.
Note: the local passkey for Telegram Desktop must be known to decrypt TDFs.
Contributions: main functions are adapted from telegram-cache-decryption by lilydjwg and TelegramDesktop_Decrypt by Py0zz1.
Usage: python tdf_decryptor.py -p Telegram_Desktop_FOLDER_PATH -o OUTPUT_PATH -k LOCAL_PASSKEY
Requirements:

• tgcrypto