Pulling encrypted Signal messages off of desktop OS’ for forensics

Update 1: Thanks to Ben K. at DIYgeek.com for providing the Macintosh screenshots.

Need to pull Signal chat messages for investigative purposes? Is your target using Signal on a Windows or Macintosh machine? If so, keep reading…

TL:DR below – Skip to the technical part – You can complete all of this in under 10 minutes.

This particular “issue” (if you want to call it that) of reading Signal messages stored on Windows and Macintosh OS’ is not anything new. This was first described widely around October 2018. The Signal Foundation stated that their intent was never to encrypt messages at rest and the compensating control is Full Disk Encryption, therefore vulnerability 4548 was marked as closed.

For the forensics practitioner: I am going to assume basic forensic practices have been taken in and around the device you are working on including the actual Signal database. Photographs, chain of custody, working off of the “original copy” of the disk, and hashing of the database and results.

For the information security practitioner or for those who are just knowledgeable enough to be dangerous: if you’re reading this, starting to panic, and are writing an email to your information security or information technology staff to tell them about this “huge vulnerability” and people must cease using Signal… STOP! If this is you, then you do not fully understand compensating controls, endpoint security, and risk mitigation. We can discuss in the comments section below.

I’m working off of Windows 10 Pro 1903 on Signal installed on a Windows operating system. I don’t have a Macintosh device to poke at for this guide but the process should be similar.

Prerequisites:

  1. Examiner’s machine
  2. Target machine
  3. A text viewer (Notepad++, “nano” Linux command line, or similar)
  4. Download and install SQLite Browser (choose SQL Cipher during install) – https://sqlitebrowser.org/dl/
  5. A copy of the “config.json” file from:
    1. Windows – %Appdata%\Signal\config.json (such as C:\Users\username\AppData\Roaming\Signal\config.json)
    2. Macintosh – ~/Library/Application Support/Signal/config.json
  6. A copy of the “db.sqlite” file from:
    1. Windows – %Appdata%\Signal\sql\db.sqlite (such as C:\Users\username\AppData\Roaming\Signal\sql\db.sqlite)
    2. Macintosh – ~/Library/Application Support/Signal/sql/db.sqlite

Step by step instructions:

  1. Open config.json in your text editor.

    Macintosh
  2. Copy the encryption key between the parenthesis (“key”).

  3. Open DB Browser (SQLCipher) and open your db.sqlite database.

  4. Change the encryption radio button to “SQLCipher 3 defaults“, change the drop down from “Passphrase” to “Raw Key“, then finally type “0x[paste the key from the config.json file]”. Don’t forget to include 0x before you paste the encryption key. If you receive an error that the file is not a SQLite database, you need to close the program and open up SQLCipher.

  5. If opened properly you should see a list of tables and indices.

  6. Switch to the “Browse Data” tab and change your “Table:” drop down to “messages“. You should now be able to explore and investigate messages and message content in the “JSON” and “BODY” columns. Other columns and table drop down options exist that may assist in your investigation.



  7. If you navigate to “File” and select “Export“, you can export your findings in various formats such as CSV. Tables export will give you the option to select  your target tables in the database.

  8. If exported to CSV, you can view the contents of the table in Excel or another CSV viewer. Note that I redacted the contents of my messages for public posting.

2 thoughts on “Pulling encrypted Signal messages off of desktop OS’ for forensics”

  1. I tried this using the latest 3.11.2 64-bit for Windows. Everything runs as indicated, but the database does not open with “DB Browser for SQLCipher.exe”. Has Signal changed the settings?

Leave a Reply to John Ball Cancel reply

Your email address will not be published. Required fields are marked *

one + twelve =

This site uses Akismet to reduce spam. Learn how your comment data is processed.