// evidence type
secure messaging artifact (signal / telegram / whatsapp)
signal desktop config · ios signal backup residue · telegram tdata · whatsapp local store. extract threads, disappearing-message gaps, encrypted-session metadata — stalkerware and harassment staples.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this evidence type.
- signal desktop artifact forensic extractordrop signal desktop %APPDATA%Signal · parse encrypted leveldb config + sql.sqlite (key-derived) · surface conversation + attachment metadata · runs locally
- ios signal artifact forensic extractordrop signal.sqlite · parse conversations and messages · disappearing timers · view-once flags · draft messages · registered phone · rowid gaps · runs locally
- telegram desktop tdata artifact forensic extractordrop telegram desktop tdata folder · parse user.id / D877F783D5D3EF8C cache · surface account session + chat history · runs locally
- iOS WhatsApp artifact forensic extractordrop iOS WhatsApp ChatStorage.sqlite and Contacts.sqlite · parse all chats, messages, groups, and media references · reconstruct conversation timelines with delivery status · surface location shares, contact cards, and deleted message placeholders · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- threema desktop artifact forensic extractordrop threema desktop client data dir · runs locally
- threema android artifact forensic extractordrop threema android dataDir · parse messages.db (encrypted) + contacts · runs locally
- whatsapp desktop artifact forensic extractordrop whatsapp desktop %APPDATA%WhatsApp · parse IndexedDB + leveldb · surface chat preview + session metadata · runs locally
- whatsapp web indexeddb forensic extractordrop chrome / edge IndexedDB for web.whatsapp.com · parse messages + media keys cache · runs locally
- android whatsapp database forensic analyzerdrop an Android WhatsApp msgstore.db · parse all messages, chats, groups, and media metadata · reconstruct conversation timelines · surface message delivery status, forwarding metadata, location shares, and contact cards · detect deleted message gaps · runs locally
- signal desktop disappearing message residue detectordrop signal desktop leveldb + sql · detect remnants of disappeared-message rows in WAL · runs locally
- signal protocol pqxdh session forensic analyzerdrop signal pqxdh session metadata export · parse kyber prekey + double ratchet epoch · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally