What can you determine about a Secret Chat app when your device is not rooted or jailbroken? To help illustrate the example, we’ve isolated the Telegram application. The screenshot above was taken from a non-jailbroken iOS device and both the group.ph.telegra.Telegraph and the ph.telegra.Telegraph folders have been selected in the tree pane.

While we are not able to obtain the actual messaging database from a file system acquisition of a non-jailbroken device, we still have several user-created artifacts for analysis. The bulk of interesting data will reside in the group.ph.telegra.Telegraph/Caches directory. This folder will contain images that were sent and received on the device. In addition to those images, any icons for contacts that the user established, as well as icons that were generated as part of a search, will also appear in this directory. The datetime stamps in this directory are fairly reliable when trying to match them with information gathered from an associated database.