Abstract: Nowadays most smartphone users benefit from instant messaging applications, such as WhatsApp, Viber, Facebook Messenger, Snapchat or Telegram. The majority of them allow not only sending messages, but also sharing photos, videos, audio, making calls and video-calls. Analysing what digital artefacts these messaging applications leave behind is becoming a popular research topic for forensic specialists. The research in this paper looks into retrieving information from the social instant messaging application Telegram on a smartphone Sony-Ericsson LT26i running Android OS 4.1.2. The tools used are the XRY Physical analyser and the XRY Reader. The action performed for detecting any data and information that can be found on smartphones memory for Application "Telegram" e.g. messages, history, logs as well as comparing it to artefacts found from two most popular instant messaging applications Viber and WhatsApp. Extensive analysis has been performed using a physical acquisition type of extraction on an Android smartphone in order to find artefacts left by instant messaging application Telegram. It was found that artefacts left by Telegram can be easily found and decoded by XRY Extraction Wizard. Messages sent via Telegram were found in the chat section of the XRY reader. It was also important to conclude where those artifacts are located in the file system. It was found that Android uses SQLite databases which are used by Telegram to store messages. The database was found using the XACT image viewer and the relevant artifacts were retrieved.

Keywords: android, forensic analysis, digital artifacts, data retrieval, telegram