On Marth 24th Telegram released a new version of their messenger, and introduced a new feature – ability “to delete any message you have sent or received from both sides in any private chat”. According to Telegram’s official website, “the messages will disappear for both you and the other person – without leaving a trace.” Sounds pretty interesting, right?
Let’s imagine: cops caught a bad guy and seized his phone, but just before this his friends started to delete messages from his phone. Are these messages recoverable? It’s time to find out!
For testing we took a Samsung SM-J710F running Android 8.1, installed the latest version of Telegram, registered John Tester account and used it to chat with Oleg. Soon after Oleg deleted all messages. As you can see on the screenshot, there are no messages available:
Just like many other messengers, Telegram stores messages in a SQLite database. If you’ve read our articles, for example this one, or books, you should know, that it’s possible to recover deleted messages from free lists and unallocated space of the database. So let’s look at cache4.db with a SQLite viewer with support for recovering deleted records:
As you can see, there is no deleted data in the database. What does it mean? The bad guys can start celebrating? We don’t think so!
We created a physical image of the phone and parsed it with Belkasoft Evidence Center, here is what we got:
What happened? Before being committed to the database, messages are stored in the Wrote-Ahead Log (WAL). This file is stored in the same folder as the main database file.
As you can see on the screenshot, the file bigger than the main database file, so it contains or may contain more data:
Still think “the messages will disappear for both you and the other person – without leaving a trace.”?