Some secure messengers prove more difficult to examine than others, and Signal is one application that until fairly recently, could not be easily accessed. Luckily, forensic utilities, such as Elcomsoft, have been able to access and decrypt the data. First, what makes Signal more difficult to access than other messaging applications?

•  Signal prevents MITM attacks, which attempt to spoof application certificates.

•  Extracting relevant content required access to the Full File System (thank you CAS, GrayKey, jailbreaks, and now the CheckM8 vulnerability, which gives us access on more devices).

•  No data is backed up locally (with or without encryption set) in iTunes/iCloud or to Signal’s servers, ever (this includes messages and encryption keys).

•  Signal encrypts the database used for storing user-related activity, which is unlike most other messaging applications. The database encryption key, generated from random seed during initialization, is stored in the keychain. To access communication data (other than attachments), you must have access to the encryption key from the keychain.

To decrypt Signal using Elcomsoft, you will need:

•  The decrypted keychain

•  A Full File System dump in .tar or .zip format

Open the device image in Elcomsoft Phone Viewer; the Signal icon should display a red key denoting the presence of encryption. Selecting the Signal icon will allow you to navigate to the keychain file, which will be used to the decrypt the application content. The red key will disappear after a successful decryption and the content is available for review.

Reference:

https://for585.com/signaldecrypt