Telegram Desktop - macOS Forensic Artifacts

Overview

Telegram Desktop is a Qt-based messaging client for macOS that stores all local data in a custom encrypted binary format called TDF$ (magic bytes 0x54444624). Unlike Signal Desktop, which exposes a SQLCipher database with a plaintext key, Telegram's local store cannot be read without the user's account credentials and encryption key material. An investigator without the passcode will not find any decryptable message history on disk.

This is by design. Telegram's architecture is fundamentally cloud-first: all regular ("cloud") chats are stored server-side. The local tdata/ directory primarily stores session credentials, application settings, and downloaded media — not message history. As a result, the forensic profile of Telegram Desktop is markedly different from Signal or Apple Messages: less message content, but still meaningful account attribution, media evidence, and behavioral indicators.

Telegram Desktop ships in two independent distribution variants on macOS, each with a completely different data path:

Standalone (org.telegram.desktop): installs directly to /Applications/Telegram.app and writes data to ~/Library/Application Support/Telegram Desktop/tdata/
Mac App Store (ru.keepcoder.Telegram): runs in a macOS App Sandbox and writes data to ~/Library/Containers/ru.keepcoder.Telegram/Data/Library/Application Support/Telegram Desktop/tdata/

Both variants use the same internal tdata/ directory structure and the same TDF$ binary format. Forensically, they are identical once you locate the correct root path.

Telegram Desktop supports up to six simultaneous logged-in accounts. The primary account stores its data directly in tdata/; additional accounts use numbered subdirectories (tdata/#2/ through tdata/#6/).

File Locations

Standalone Distribution (`org.telegram.desktop`)

Artifact	Path	Notes
tdata directory	`~/Library/Application Support/Telegram Desktop/tdata/`	Primary data store
Account tag	`tdata/usertag`	TDF$ encrypted, account identifier
Session keys	`tdata/key_data`, `tdata/key_datas`	TDF$ encrypted, authentication credentials
Settings	`tdata/settings0`, `tdata/settings1`	TDF$ encrypted, application configuration
Multi-account	`tdata/#2/` through `tdata/#6/`	Additional signed-in accounts
Media cache	`tdata/user_data/cache/`	Downloaded media files (often unencrypted)
Media cache	`tdata/user_data/media_cache/`	Alternative cache location
Secret chat traces	`tdata/secret_`, `tdata/map`	TDF$ encrypted, key exchange residue
Crash dumps	`tdata/dumps/`	Crash dump files
Application binary	`/Applications/Telegram.app/Contents/MacOS/Telegram`	Used for offline decryption analysis

Mac App Store Distribution (`ru.keepcoder.Telegram`)

Artifact	Path	Notes
tdata directory	`~/Library/Containers/ru.keepcoder.Telegram/Data/Library/Application Support/Telegram Desktop/tdata/`	Sandboxed data store
Account tag	`[tdata]/usertag`	TDF$ encrypted
Session keys	`[tdata]/key_data`, `[tdata]/key_datas`	TDF$ encrypted
Media cache	`[tdata]/user_data/cache/`	Downloaded media files
Group container	`~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram/`	Shared extension data
Crash logs	`~/Library/Logs/DiagnosticReports/Telegram*.crash`	User-level crash reports
Crash logs	`~/Library/Logs/DiagnosticReports/Telegram*.ips`	JSON-format crash reports

Both variants, same format

An investigator should check both paths on any macOS system. Users may have switched between the App Store and standalone versions at different points, leaving tdata directories from both variants with different modification dates.

TDF$ Binary Format

Every file within tdata/ that contains user data begins with a TDF$ header. The format is not publicly documented by Telegram. The unencrypted portion visible without decryption is:

Offset	Length	Field	Notes
0	4 bytes	Magic	`0x54 0x44 0x46 0x24` ("TDF$")
4	4 bytes	Version	Little-endian uint32, Telegram Desktop format version
8	variable	Encrypted payload	AES-IGE encrypted, key derived from user passcode

The version field is readable without decryption and can help identify the Telegram Desktop version that last wrote the file. The encrypted payload begins immediately after byte 8 and cannot be read without the decryption key.

TDF$ header (8 bytes):
+--------+--------+--------+--------+--------+--------+--------+--------+
| 0x54   | 0x44   | 0x46   | 0x24   | version (little-endian uint32)    |
| T      | D      | F      | $      |                                   |
+--------+--------+--------+--------+--------+--------+--------+--------+
  [0]     [1]     [2]     [3]     [4]     [5]     [6]     [7]

Bytes 8+: encrypted payload (AES-IGE, cannot be read without key material)

Forensic implication: The presence of TDF$ files confirms Telegram Desktop was actively used and had a logged-in account. The version number confirms the approximate release of Telegram Desktop. The file timestamps are the primary temporal artifacts — they record when accounts were created, last modified, and last accessed without requiring any decryption.

tdata Directory Structure

A typical populated tdata/ directory contains the following file hierarchy:

tdata/
├── usertag                    # Account identifier (TDF$)
├── key_data                   # Session authentication key (TDF$)
├── key_datas                  # Renewed session key (TDF$, indicates recent re-authentication)
├── settings0                  # Application settings (TDF$)
├── settings1                  # Settings backup (TDF$)
├── settingss                  # Settings working copy (TDF$)
├── secret_*                   # Secret chat key exchange traces (TDF$)
├── map*                       # Secret chat mapping data (TDF$)
├── 2fa_config                 # Two-factor authentication indicator
├── lockconfig                 # Screen lock configuration
├── dumps/                     # Crash dump files
│   └── *.dmp
├── user_data/                 # Primary account media and cache
│   ├── cache/                 # Downloaded media (often unencrypted)
│   └── media_cache/           # Additional media cache
├── user_data#2/               # Multi-account media (additional accounts)
│   ├── cache/
│   └── media_cache/
├── D877F783D5D3EF8C/          # Session-specific directory (hex-named)
│   └── ...                    # Session-related encrypted data
└── #2/                        # Second logged-in account
    ├── usertag
    ├── key_data
    └── ...

The hex-named directories (e.g., D877F783D5D3EF8C/) are session-specific data containers. Their names are derived from the account's authorization key hash. Multiple such directories indicate multiple sessions or devices.

Media Cache

The media cache is the highest-value unencrypted artifact in a Telegram Desktop installation. When a user receives or views photos, videos, voice messages, or documents, Telegram Desktop downloads and caches these files locally. The cached files are typically stored without encryption, even though the surrounding tdata/ directory uses TDF$ for all metadata.

Cache files have no extensions and their filenames are opaque identifiers (e.g., a3f4b2c1d0e5f6a7). MIME type must be inferred from file magic bytes. See Media Cache for collection details and analysis techniques.

Key Artifacts Summary

Artifact	Forensic Value	Encrypted
usertag	Account attribution — confirms Telegram was in use	TDF$
key_data / key_datas	Session authentication — presence indicates active/renewed login	TDF$
settings*	Configuration evidence — existence confirms installation age	TDF$
secret_* files	Proves secret chat usage occurred (content unreadable)	TDF$
map* files	Secret chat mapping data (content unreadable)	TDF$
user_data/cache/	Downloaded media files — photos, videos, documents	Usually not
user_data/media_cache/	Additional media cache	Usually not
Crash logs (.crash, .ips)	Application timeline, version confirmation	Plaintext
2fa_config	Two-factor authentication was configured	TDF$

macOS Version Support

macOS Version	Standalone	App Store	Notes
10.13 High Sierra	Full	Not applicable	Minimum for standalone
10.15 Catalina	Full	Full	App Store variant requires 10.15+
11 Big Sur	Full	Full	No path changes
12 Monterey	Full	Full	No path changes
13 Ventura	Full	Full	No path changes
14 Sonoma	Full	Full	No path changes
15 Sequoia	Full	Full	No path changes

The tdata format and directory structure are driven by the Telegram Desktop application release cycle, not macOS versions.

Forensic Analysis Notes

What Telegram Desktop reveals:

Telegram was installed and had at least one logged-in account
The approximate time period the account was active (from file timestamps)
Whether multiple accounts were used simultaneously (from tdata/#2/ directories)
Whether secret chats were used (from secret_* and map* file presence)
Whether two-factor authentication was enabled (from 2fa_config presence)
What media was received and viewed (from cache files)
Crash history and approximate version (from crash logs)

What Telegram Desktop conceals:

All message content — stored server-side or in unreadable TDF$ files
Contact names and phone numbers — stored in TDF$ encrypted format
Chat metadata (timestamps, participants) — server-side
Deleted messages — no local residue

Multi-account detection: Telegram Desktop supports up to six simultaneous accounts. Each additional account beyond the first creates a numbered subdirectory (tdata/#2/ through tdata/#6/). These subdirectories have independent timestamps providing a timeline of when each additional account was logged in.

Session renewal forensics: When both key_data and key_datas are present in the same account directory, the session was recently renewed. This typically occurs after a new device login or security event. When only key_data exists, the session has not been recently renewed.

File timestamp significance: Because TDF$ content cannot be read without decryption, file system timestamps on tdata/ files are the primary temporal evidence. The creation time of usertag approximates when the account was first authenticated on this device. The modification time of key_data or key_datas indicates the most recent authentication or session renewal.

Tool Support

Tool	Support Level
macfor	Full collection: accounts, tdata manifest, media cache, sessions, secret chat traces, crash logs, raw tdata (opt-in)
AXIOM	Telegram Desktop support (media cache, tdata metadata)
Cellebrite	Limited Telegram Desktop support
Manual analysis	tdata files require offline decryption tooling; media cache files are directly readable

Sub-pages

tdata Structure — TDF$ header format, directory layout, key files
Media Cache — Cache directories, MIME detection, collection options
Sessions and Secret Chats — Session key files, secret chat traces, crash logs