Telegram Desktop
Sessions and Secret Chats
Overview
Telegram Desktop session artifacts are the TDF$ encrypted files that authenticate the application to Telegram's servers and persist login state across restarts. While their contents are not readable without decryption, the presence, absence, and timestamps of session key files provide significant forensic information: whether an account is currently logged in, when the session was last renewed, and which account indices are active.
Secret chats in Telegram are end-to-end encrypted conversations that are specifically designed to leave no server-side record. They are initiated with a key exchange that generates a shared encryption key stored only on the participating devices. On macOS, this key exchange leaves behind trace files in the tdata/ directory. These trace files cannot be decrypted without the original key material, but their presence proves that the user participated in secret chats — a significant behavioral indicator in investigations involving covert communication.
Crash logs and diagnostic reports complement these artifacts by providing a timeline of application crashes, version information, and evidence of Telegram Desktop's operational history on the device.
Session Key Files
File Locations
| File | Path (relative to tdata/) | Forensic Meaning |
|---|---|---|
key_data | tdata/key_data | Active session authentication key |
key_datas | tdata/key_datas | Renewed session key (written during re-authentication) |
key_data (account 2) | tdata/#2/key_data | Active session for the second account |
key_datas (account 2) | tdata/#2/key_datas | Renewed session for the second account |
Both files use the TDF$ binary format. Their contents are encrypted and cannot be read without the account's encryption key material.
Session Status Detection
macfor infers session status from file presence without decryption:
| Files Present | Inferred Status | Meaning |
|---|---|---|
key_data only | active | Session established; not recently renewed |
key_data + key_datas | renewed | Session was recently renewed (re-authentication or new device login) |
| Neither file | No session | Account was logged out; session key files deleted |
The key_datas naming convention (with trailing s) is Telegram's internal notation for a "safe copy" written during a session renewal operation. When both files coexist, the key_datas modification timestamp records the most recent renewal event.
Session Record Fields
Each session key file produces a telegram_sessions record:
| Field | Type | Description |
|---|---|---|
key_file | string | Filename ("key_data" or "key_datas") |
size | integer | File size in bytes |
mod_time | string | Modification timestamp (RFC 3339) |
is_tdf_encrypted | boolean | Whether the file begins with TDF$ magic bytes |
tdf_version | integer (optional) | TDF$ version number from header |
status | string | "active", "renewed", or "unknown" |
account_index | integer | Account number (1 = primary, 2–6 = additional) |
user | string | macOS username |
variant | string | "standalone" or "appstore" |
Example record (active primary account):
{
"key_file": "key_data",
"size": 824,
"mod_time": "2025-10-15T11:42:07Z",
"is_tdf_encrypted": true,
"tdf_version": 2008012,
"status": "active",
"account_index": 1,
"user": "alice",
"variant": "standalone"
}
Example record (renewed session — both files present):
{
"key_file": "key_datas",
"size": 824,
"mod_time": "2025-11-18T08:31:55Z",
"is_tdf_encrypted": true,
"tdf_version": 2008012,
"status": "renewed",
"account_index": 1,
"user": "alice",
"variant": "standalone"
}
Two-Factor Authentication Indicators
macfor checks for the presence of 2FA configuration files in the tdata/ root:
| File | Meaning |
|---|---|
tdata/2fa_config | Two-factor authentication was configured |
tdata/lockconfig | Application screen lock was configured |
These files do not confirm whether 2FA is currently active — only that it was configured at some point while Telegram was installed on this device. Their presence is logged during session collection.
Secret Chat Traces
What Secret Chats Leave Behind
Telegram's secret chats are end-to-end encrypted conversations that do not sync to Telegram's servers. When a secret chat is initiated, Telegram Desktop stores the key exchange data and session state in the tdata/ directory. These files are TDF$ encrypted — the actual conversation keys and content cannot be read — but their existence proves the user engaged in secret chat activity.
| File Pattern | Trace Type | Meaning |
|---|---|---|
secret_* | key_exchange | Secret chat key exchange data |
map* | mapping | Secret chat session mapping |
The secret_* files hold the key material for active secret chats. The map* files contain a mapping of secret chat sessions. Either type of file proves the device was a participant in end-to-end encrypted Telegram conversations.
Secret Chat Trace Record Fields
Each detected trace file produces a telegram_secret_chat_traces record:
| Field | Type | Description |
|---|---|---|
file_path | string | Filename within the tdata directory |
size | integer | File size in bytes |
mod_time | string | Modification timestamp (RFC 3339) |
is_tdf_encrypted | boolean | Whether the file begins with TDF$ magic bytes |
tdf_version | integer (optional) | TDF$ version from header |
trace_type | string | "key_exchange" (secret_* files) or "mapping" (map* files) |
user | string | macOS username |
variant | string | "standalone" or "appstore" |
Example record:
{
"file_path": "secret_0a1b2c3d",
"size": 2048,
"mod_time": "2025-09-22T16:14:39Z",
"is_tdf_encrypted": true,
"tdf_version": 2008012,
"trace_type": "key_exchange",
"user": "alice",
"variant": "standalone"
}
Secret chat evidence is behavioral, not content
Secret chat trace files prove that the user participated in end-to-end encrypted Telegram conversations. They do not expose message content, participant identities, or conversation timestamps. The fact of secret chat usage is itself a significant behavioral indicator in many investigations.
Account Identification Records
In addition to session key files, macfor collects account identification records that aggregate the key identity artifacts for each account:
| Field | Type | Description |
|---|---|---|
user | string | macOS username |
account_index | integer | Account number (1 = primary) |
variant | string | "standalone" or "appstore" |
session_files | array | List of session key files found (key_data, key_datas) |
has_usertag | boolean | Whether the usertag file is present |
usertag_version | integer (optional) | TDF$ version from usertag header |
usertag_size | integer (optional) | Size of the usertag file in bytes |
key_data_version | integer (optional) | TDF$ version from the primary key file |
key_data_size | integer (optional) | Size of the primary key file in bytes |
file_created | string (optional) | Earliest creation time across identity files (RFC 3339) |
file_modified | string (optional) | Latest modification time across identity files (RFC 3339) |
file_accessed | string (optional) | Latest access time across identity files (RFC 3339) |
source_path | string | tdata directory path for this account |
The file_created timestamp is the most forensically significant: it records the earliest creation time across the usertag, key_data, and account directory, approximating when this account was first logged into Telegram Desktop on this macOS device.
Crash Logs and Diagnostic Reports
Collection Locations
Telegram Desktop crash logs are collected from three locations:
| Location | Description | Requires Root |
|---|---|---|
~/Library/Logs/DiagnosticReports/Telegram*.crash | User-level crash reports (old format) | No |
~/Library/Logs/DiagnosticReports/Telegram*.ips | User-level crash reports (JSON format, macOS 12+) | No |
/Library/Logs/DiagnosticReports/Telegram*.crash | System-level crash reports | Yes |
tdata/dumps/ | In-process crash dumps written by Telegram | No |
The user-level DiagnosticReports/ directory is always scanned. The system-level directory is only scanned when macfor is running as root. tdata/dumps/ is scanned for all detected Telegram installations.
Crash Log Record Fields
Each crash log file produces a crash_logs record:
| Field | Type | Description |
|---|---|---|
file_path | string | Full path to the crash log |
file_name | string | Base filename |
size | integer | File size in bytes |
mod_time | string | Modification timestamp (RFC 3339) |
report_type | string | "crash" (.crash files), "ips" (.ips files), or "dump" (tdata/dumps) |
user | string | macOS username |
Example record:
{
"file_path": "/Users/alice/Library/Logs/DiagnosticReports/Telegram-2025-10-14-143022.crash",
"file_name": "Telegram-2025-10-14-143022.crash",
"size": 48192,
"mod_time": "2025-10-14T14:30:22Z",
"report_type": "crash",
"user": "alice"
}
Crash Log Forensic Value
- Crash timestamps: The filename of a
.crashor.ipsfile typically includes the crash date and time. The modification timestamp on the file confirms when the crash occurred. - Version identification: Crash reports contain the Telegram Desktop version number in their text content. This can help correlate the artifact with a specific version of Telegram Desktop.
- Application timeline: A series of crash logs establishes that Telegram Desktop was actively running during specific periods.
- tdata/dumps files: Crash dump files written directly by Telegram Desktop may contain more detailed internal state than the macOS-generated crash reports.
Collection Options
| Option | Default | Description |
|---|---|---|
skip_sessions | false | When true, skips session key file collection |
skip_secret_chat_traces | false | When true, skips secret chat trace detection |
Crash log collection is always enabled and cannot be individually disabled. Account identification is always collected.
# Default collection (all session artifacts)
macfor-pro collect --plugin messaging.telegram --output ./evidence.zip
# Skip sessions and secret chat traces
macfor-pro collect --plugin messaging.telegram \
--option skip_sessions=true \
--option skip_secret_chat_traces=true \
--output ./evidence.zip
Forensic Analysis Notes
Account first-login dating: The file_created field in account records represents the earliest creation timestamp across usertag, key_data, and the account directory. On APFS volumes, where birth times are reliably preserved, this timestamp closely approximates the first time this Telegram account was authenticated on the macOS device.
Logout detection: A tdata/ directory that contains settings* files but lacks key_data and key_datas indicates the account was explicitly logged out. Telegram deletes session key files on logout but leaves settings files in place. The modification time of settings0 or settings1 may record when the logout occurred.
Multi-account behavioral patterns: The combination of multiple account directories (tdata/#2/, etc.) with different file_created timestamps indicates the user added additional Telegram accounts over time. The timestamps can establish a sequence: which account was added first, and whether accounts were added around specific dates relevant to the investigation.
Secret chat file count: The number of secret_* files indicates the number of active secret chat sessions that existed at collection time. Multiple files suggest multiple simultaneous secret conversations. Note that Telegram removes secret chat files when a secret chat is explicitly deleted or the key expires.
Renewal events as security indicators: A key_datas file with a recent modification timestamp — particularly one that coincides with other suspicious activity — may indicate a new device login or a forced re-authentication event. Telegram triggers session renewal when a new device joins the account or when certain security thresholds are crossed.