This paper presents a forensic analysis of Telegram messenger (running on Android) which is a popular instant messaging application that offers secure one-to-one, one-to-many and many-to-many communication services reportedly used for various criminal activities. Various works have been reported on forensic analysis of Instant Messaging (IM) applications, but there is the need to follow investigative standards treating all cases as if they would end up in court. Hence, this study used the National Institute of Standards Technology (NIST) methodology which has four (4) forensic stages namely, collection, examination, analysis and reporting. The results from this research are a comparison of evidence obtained in form of conversation database, direct and group messages, images and documents sent and received between a rooted smart phone and a non-rooted smart phone. The output of this research will be beneficial to forensic investigators and researchers in identifying and recovering digital evidence from telegram messenger on android devices which can form a reference in proceedings to combat cybercrime.