Update 1: Thanks to Ben K. at DIYgeek.com for providing the Macintosh screenshots.
Update 2: A change in Signal requires that you now use “SQLCipher 4 defaults” instead of “SQLCipher 3 defaults” when opening the database.
Need to pull Signal chat messages for investigative purposes? Is your target using Signal on a Windows or Macintosh machine? If so, keep reading…
This particular “issue” (if you want to call it that) of reading Signal messages stored on Windows and Macintosh OS’ is not anything new. This was first described widely around October 2018. The Signal Foundation stated that their intent was never to encrypt messages at rest and the compensating control is Full Disk Encryption, therefore vulnerability 4548 was marked as closed.
For the forensics practitioner: I am going to assume basic forensic practices have been taken in and around the device you are working on including the actual Signal database. Photographs, chain of custody, working off of the “original copy” of the disk, and hashing of the database and results.
For the information security practitioner or for those who are just knowledgeable enough to be dangerous: if you’re reading this, starting to panic, and are writing an email to your information security or information technology staff to tell them about this “huge vulnerability” and people must cease using Signal… STOP! If this is you, then you do not fully understand compensating controls, endpoint security, and risk mitigation. We can discuss in the comments section below.
- Examiner’s machine
- Target machine
- A text viewer (Notepad++, “nano” Linux command line, or similar)
- Download and install SQLite Browser (choose SQL Cipher during install) – https://sqlitebrowser.org/dl/
- A copy of the “config.json” file from:
- Windows – %Appdata%\Signal\config.json (such as C:\Users\username\AppData\Roaming\Signal\config.json)
- Macintosh – ~/Library/Application Support/Signal/config.json
- A copy of the “db.sqlite” file from:
- Windows – %Appdata%\Signal\sql\db.sqlite (such as C:\Users\username\AppData\Roaming\Signal\sql\db.sqlite)
- Macintosh – ~/Library/Application Support/Signal/sql/db.sqlite
Step by step instructions:
- Open config.json in your text editor.
- Copy the encryption key between the parenthesis (“key”).
- Open DB Browser (SQLCipher) and open your db.sqlite database.
- Change the encryption radio button to “SQLCipher 3 defaults“, change the drop down from “Passphrase” to “Raw Key“, then finally type “0x[paste the key from the config.json file]”. Don’t forget to include 0x before you paste the encryption key. If you receive an error that the file is not a SQLite database, you need to close the program and open up SQLCipher.
- If opened properly you should see a list of tables and indices.
- Switch to the “Browse Data” tab and change your “Table:” drop down to “messages“. You should now be able to explore and investigate messages and message content in the “JSON” and “BODY” columns. Other columns and table drop down options exist that may assist in your investigation.
- If you navigate to “File” and select “Export“, you can export your findings in various formats such as CSV. Tables export will give you the option to select your target tables in the database.
- If exported to CSV, you can view the contents of the table in Excel or another CSV viewer. Note that I redacted the contents of my messages for public posting.