Using Elcomsoft Phone Viewer To Extract And Decrypt Signal Databases Via Physical Acquisition

by Sunny Hoi


With the release of Elcomsoft Phone Viewer 4.60, digital forensic professionals now acquire the crucial ability to decrypt and analyze Signal communication histories when viewing the findings of the iOS file system acquisition.

Signal is known to be the world’s most secure instant messaging application. Not surprisingly, Signal is often deployed for communicating by individuals who have something to conceal. The tool’s insistence on security accompanied by the fact that there is nothing to acquire in the cloud and that there lacks virtually any applicable information about the suspect’s communications that law enforcement might request from Signal entices potential criminals.

Why Signal Messenger Is Difficult For Digital Forensic Examiners & State-Sponsored Hackers

Signal makes no attempt to save encryption keys, messages, or conversation histories in the cloud. There lacks anything to request with the exception of potentially few metadata. Moreover, if an individual signs in using credentials, there will most likely be nothing available to access. Under no circumstances does Signal sync conversations over the cloud.

Signal in no way permits its working database to be backed up locally through iTunes or third-party software, including encrypted backups.

When cloud storage is accessible for another instant messager or service, law enforcement investigators may present a legal request or log in using the suspect’s account credentials and ultimately access the suspect’s conversation histories.

Note that the majority of instant messengers sync and save communications using their own cloud service, which benefits law enforcement agencies. For instance, Apple syncs iMessages using iCloud while Microsoft retains Skype conversations in the suspect’s Microsoft Account.

Furthermore, Signal does not attempt to permit its encryption keys or conversation histories to be present in local backups, including those that are protected with a password.

An advanced persistent threat (APT) actor may try to intercept conversations in transit. Achieving this is technically possible since traffic may be intercepted, but decrypting it requires a malicious application installed on the target’s device. Signal shields communications through point-to-point encryption. The critical question to ask is whether the potential victim is important enough to be targeted.

Bear in mind that even if your own personal iPhone device does not have a malicious application and is secure, the other individual’s iOS device (Or Android or desktop application) that you are communicating with could perhaps be compromised. Hence, it is essential to remember that if the other individual’s device is compromised, then all communications with that particular individual will be entirely compromised too.

Signal enforces unique protection measures against Man-in-the-middle (MITM) attacks, rendering certificate spoofing pointless and rendering it increasingly difficult for malware-based attacks to succeed.

Many databases of instant messengers are saved in plain SQLite format and never encrypted with the exception of the system’s full-disk encryption feature. Therefore, extracting a working database works all the time. Nevertheless, most instant messengers do not encrypt its working database like Signal does.

When the suspect initially signs in to Signal on their device, the encryption key is produced and subsequently saved in the keychain, protected using a high protection class. In the absence of such key, the digital forensic examiner may merely extract attachments such as documents, voice messages, and images.

Following the extraction of the Signal database out of the iPhone’s file system image, accessing the data shall be exceedingly challenging as a result of Signal’s custom encryption scheme. There lacks a password to protect the database, and the encryption key is produced through random seed in the course of initialization, subsequently saved in the iOS keychain alongside a high class protection class. Hence, the high protection class indicates that the key is not exported into iCloud. In reality, the key is exported, though encrypted using a hardware key unique to the device and may not be decrypted while analyzing a password-protected backup.

The only method to acquire Signal data that contains the suspect’s communications is physical acquisition.

Logical and cloud acquisitions are inefficient since they are not feasible.

How To Decrypt & View A Conversation History In Signal

To decrypt and view a conversation history in Signal, we will want to use Elcomsoft Phone Viewer to open the file system image and deploy the extracted keychain file in order to decrypt the database of Signal.

To carry out physical extraction (File system and keychain) of the device, we have to employ Elcomsoft iOS Forensic Toolkit.

In the event that you are deploying Elcomsoft iOS Forensic Toolkit, ensure that you capture the keychain in conjunction with the file system image.

Elcomsoft Phone Viewer will proceed to decrypt the database and show its content instantly.

We will use physical acquisition to decrypt the conversation databases of Signal extracted from the iPhone. Importantly, we will have to extract the encryption key coming out of the keychain.

Before proceeding further in this tutorial, ensure that you have the file system image either in .zip or .tar and the decrypted keychain (The default downloaded file name is keychaindump.xml) which is ultimately extracted using Elcomsoft iOS Forensic Toolkit.

1. Open Elcomsoft Phone Viewer software and the file system image.

2. After the file system completely loads, we will see the Signal icon among other icons in Elcomsoft Phone Viewer. There is a red encrypted key on the Signal icon.

3. Proceed by clicking on the Signal icon. You’ll be asked to supply the path to the keychain file. To decrypt the database, choose the relevant keychain file. We will see that the red encrypted key disappears, signifying that the decryption will be complete.

4. You may browse and analyze the database’s content after it has been successfully decrypted. We can see that Elcomsoft iOS Forensic Toolkit provides digital forensic professionals access to the suspect’s Signal account information, conversations, attachments, and call logs.

Related Posts