Even more MEGA


Chris Lees recently published research into decrypting the MEGA megaprefences database, and went further by releasing a script to automate the process. This was truly excellent work, and generous to share this with the community.

With his permission, I’ve adapted his script, added in some extra nuggets from some research, and provide some validation below.

Further research

Within the megapreferences database is the completedtransfers table.

Many of the column names and values are straight forward, but a couple need some clarification. State and Type.

Examining the application code (decompiled using jadx-gui), a number of keys and values can be found relating to transferstate and transfertype.

ALEAPP

Bringing this all together, the artefact submitted to ALEAPP will look something like the below.

ALEAPP

Validation

Let’s examine a few of these records. Below is a comparison of the artefact versus notes made whilst populating data.

Item 1

A plain upload to the MEGA cloud storage.

TimestampAppSubjectDetail
20 Mar 2022 at 10:51CameraPhotoFlowers
20 May 2022 at 09:14MegaUploadFlowers Photo
Notes
Artefact

The timestamp of the upload, folder, filename, size, direction and state were all consistent with the original file. The transfer path provides a further artefact.

Item 3

Sending an image via chat.

TimestampAppSubjectDetail
27 Mar 2022 at 10:01CameraPhoto“No unauthorised access” sign
21 May 2022 at 09:09MegaSent image“No unauthorised access” sign
Notes
Artefact

The timestamp of the upload, folder, filename, size, direction and state were all consistent with the original file. This time, the transfer path was the consistent with the original and not a cached file like before.

Item 6

Saving an image recevied via chat.

TimestampAppSubjectDetail
28 May 2022 at 19:48MegaReceived imageTap Photo
28 May 2022 at 19:56MegaImport from ChatTap Photo
Notes
Artefact

The timestamp was consistent with the download time. The folder was consistent with the destination. The filename reflected the original filename on the senders device. The size, direction and state were consistent. And the transfer path was consistent with the destination.

Closing remarks

I want to reiterate that this is a prime example of standing on the shoulders of giants. Credit should go to Chris Lees for doing the initial research, publishing the decryption method, which is what made this possible.

This artefact has been submitted to ALEAPP, so thanks to Alexis Brignoni for maintaining and the project.

As always, interested in your thoughts and feedback.


One response to “Even more MEGA”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: