Digital forensic analysis of encrypted database files in instant messaging applications on Windows operating systems: Case study with KakaoTalk, NateOn and QQ messenger

Instant messaging applications store users' personal data (e.g., user profile, chat messages, photos and video clips). Because those data typically include privacy sensitive information, most instant messaging applications are trying to protect the stored data in an encrypted form so that the authorized messaging application itself can only access the data. In this paper, we analyzed the locations and file formats of personal data files in three instant messaging applications (KakaoTalk, NateOn, and QQ)which are the most popularly used in China and South Korea. We particularly examined the encryption and decryption procedures for internal databases in those messaging applications through reverse-engineering. Our analysis results demonstrate how the database files of those instant messaging applications are stored and encrypted. Moreover, in the cases of KakaoTalk and NateOn applications, we found that their encrypted database files can successfully be recovered without requiring user password. We also found that QQ messenger stores the encryption key for the database files into an external server. This implementation may raise another privacy concern because users’ personal data can be freely accessed by the service provider without user consent.