Obtain a logical dump of Signal data on Android with signal-back

I’ve had a number of people asking for a walkthrough on this process so thought I’d make it into this week’s blog entry. It’s not a particularly technical process and I’m the first to admit doesn’t adhere to strict forensic fundamentals either. I recognize this and agree! This approach is certainly one of the last things to do on an Android device – once you’ve completed all other acquisition techniques – including potentially taking photos of the screen. You should also consider any potential repercussions of manipulating the device directly and be willing to speak to this down the road otherwise don’t do it!

We’ve slowly been forced to make concessions as forensic examiners as the technology evolves and with it, an increased difficulty in obtaining that pristine unaltered dataset we get with a write-blocked mechanical hard drive. As long as you’ve followed sound forensic processes and obtained as much data as possible without making any changes, I think it’s a great ability to possess — being able to export Signal data this way — given time is not always abundant and message data can be unpredictably supermassive. We’ve all had the experience of having to capture screen photos one by one, and let’s face it – it sucks. Worse, the data you get from screen photos is often less precise… perhaps times are rounded to the nearest minute, relative to the time of the moment it is being viewed, or not visible at all.

Enough with the disclaimer, where do we start?

First, remove any SD card in the device, place it in a bag or tape it to something with a label, and set it aside. Locate a blank SD card. We’ll use this temporary SD card to transfer off our backup data once it is prepared. I generally wait to insert the SD card until after the backup has been created.

Open the Signal application on the device. Go to settings via the ‘…’ button at the top right of the home screen. From here look for ‘Chats and Media’ and tap on that.

On the next screen, click the slider switch to enable Chat Backups. If it is already enabled, switch it off and back on. A new password is generated each time. NOTE: You may wish to turn this OFF after completing an extraction.

Enabling the slider switch will trigger a dialog with a numeric password on it. The passphrase is read from left to right, row by row, as if there were no spaces in it. Check the box. HIGHLY RECOMMEND TAKING A PHOTO vs. writing it down.

After the program has run, the original screen will update with a new last backup date. Go back to the Home screen and locate File Manager app. On the device root (not the SD card), locate the folder called Signal. It will be empty aside from your newly generated backup. Now put in your blank SD card. Assuming all goes well and it gets mounted, long hold on the Signal folder and then chose ‘Move To’ from the context menu.

I usually choose to move it to the blank SD card, so it isn’t left behind on the device. Transfer this to your examination machine and copy it out. If you were to look at this in hex, you’ll see what you expected to see – an encrypted container file.

Now we need to use signal-back. This app is written in Go, and open source, but has been conveniently bundled into an executable that you can download off it’s Github page at xeals/signal-back. I’ve got this executable in a folder that’s in my PATH environment variable but you could copy it into the casefolder if you like. The command syntax is:

signal-back.exe format signal-2019-01-01-01-30-22.backup > signalMessages.xml

After this you will be prompted for the password which is not echoed to the screen. If you get a long error or anything to do with a parsing error you may have a password issue – try again. Alternatively if everything was successful you now have an XML file that is compatible with SMS Backup and Restore.

Throw this data into a compatible tool and presto! Signal data! One last note, contact names aren’t present in the XML. I don’t know if the Signal backup database includes it or not, but the way I deal with this is by exporting all Native contacts using a forensic tool and apply it to the XML based on phone numbers. You could also do this manually.

3 thoughts on “Obtain a logical dump of Signal data on Android with signal-back

Leave a Reply

Your email address will not be published. Required fields are marked *

Releated

Analysis of the ABTraceTogether app (iOS)

I decided to have a look at the ABTraceTogether contract tracing app released by the Alberta Government today (May 1 2020) and blog about my findings. There’s potential for conspiracy theories and disinformation to run rampant for an app like this, so I wanted to have a look for myself and see how it actually […]