Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.3.405

Study on Improved Decryption Method of WeChat Messenger and Deleted Message Recovery Using SQLite Full Text Search Data  

Hur, Uk (Kookmin University)
Park, Myungseo (Kookmin University)
Kim, Jongsung (Kookmin University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.3, 2020 , pp. 405-415 More about this Journal
Abstract
With the increase in smartphone user, mobile forensics has become an essential element in modern digital forensic investigation. Mobile messenger data is very important data in mobile forensics because it can acquire information such as user's life pattern and mental state. In order to analyze messenger data, a decryption technique of an encrypted messenger data is required. Since most messengers provide a message deleting function, a technique for recovering deleted messages is required. WeChat Messenger, a messenger used by about 1 billion people around the world, uses IMEI (International Mobile Equipment Identity) information to encrypt data and provides message deletion function. In this paper, we propose a data decryption method in the absence of IMEI information and propose a method for recovering deleted messages using FTS (Full Text Search) database created for full-text search function of SQLite database.
Keywords
Digital Forensics; Mobile forensics; Instant messenger; Data recovery;
Citations & Related Records
연도 인용수 순위
  • Reference
1 SQLite, "FTS3 and FTS4 Extensions" https://www.sqlite.org/fts3.html
2 SQLite, "FTS5 Extension" https://www.sqlite.org/fts5.html
3 Wu, Songyang, et al. "Forensic analysis of WeChat on Android smartphones." Digital investigation, 21, pp.3-10, Jun. 2017   DOI
4 See Snow Security Forum, "Detailed tutorial for decrypting WeChat database in PC version" https://bbs.pediy.com/thread-251303.htm
5 See Snow Security Forum, "Android WeChat local database decryption and deleted chat history recovery complete tutorial" https://bbs.pediy.com/thread-250714.htm
6 SangJun Jeon, KeunDuck Byun, Jewan Bang, GuenGi Lee, SangJin Lee. "The Method of Recovery for Deleted Record in the Unallocated Space of SQLite Database." Journal of the Korea Institute of Information Security & Cryptology 21(3), pp.143-154, Jun 2011
7 Byungchan Jung, Jaehyeok Han, Hoyong Choi, Sangjin Lee. "A Study on the Possibility of Recover ing Deleted Data through Analysis of SQLite Journal in Messenger Application." Journal of Digital Forensics 12(2), pp.11-20, Sep 2018   DOI
8 Giyoon Kim, Uk Hur, Sehoon Lee, Jongsung Kim. "Forensic Analysis of the Secure Instant Messenger SureSpot." Journal of Digital Forensics 13(3), pp.175-188, Sep 2019   DOI
9 JEB Decompiler, "JEB Decompiler" https://www.pnfsoftware.com/
10 IDA Pro, "IDA Pro" https://www.hex-rays.com/products/ida/
11 OllyDbg, "OllyDbg" http://www.ollydbg.de/
12 Github, "Dump WeChat Messages from Android" https://github.com/ppwwyyxx/wechat-dump
13 DB Browser for SQLite, "DB Browser" https://sqlitebrowser.org/
14 HxD, "HxD" https://mh-nexus.de/en/hxd/
15 Cryptii, "Cryptii" https://cryptii.com/
16 Android Developers, "Android Debug Bridge" https://developer.android.com/studio/command-line/adb
17 Android Developers, "Set application version information" https://developer.android.com/studio/publish/versioning#appversioning
18 Github, "Android backup extractor" https://github.com/nelenkov/android-backup-extractor
19 Android Developers, "Manifest permissi on" https://developer.android.com/reference/android/Manifest.permission.html
20 Android Developers, "Privacy changes in Android 10" https://developer.android.com/about/versions/10/privacy/changes