Investigating Android Firebase Cloud Messaging
29/11/2024 Friday
Firebase Cloud Messaging (FCM), previously known as Google Cloud Messaging (GCM), is a cross-platform cloud service for sending messages and notifications. FCM is commonly used by third-party application developers to deliver notifications or messages from FCM-hosted servers to users. These messages help engage users by providing updates, news, promotions, or other relevant content.
Digital Forensics Value of Android Firebase Cloud Messaging
Since FCM is a service used by many application developers, collecting data from its forensic artifacts can provide investigators with valuable information. FCM data can offer insights into notifications and messages sent to or from a device, including timestamps and message content, which may reveal user engagement or actions taken in response to notifications. As observed from the parsers below, FCM artifacts can include data from popular apps such as Instagram, TikTok, Twitter, and more. This recovered information may have been deleted by the original app, so FCM artifacts provide investigators with an additional opportunity to retrieve deleted data
Location of Android Firebase Cloud Messaging Artifacts
Android Firebase Cloud Messaging artifacts can be found at the following location:
*/com.google.android.gms/*/fcm_queued_messages.ldb/*
Analyzing Android Firebase Cloud Messaging Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Android Firebase Cloud Messaging artifact from Android devices and what kind of digital forensics insights we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Firebase Cloud Messaging artifact parsers:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Firebase Cloud Messaging artifact in ArtiFast.
Android FCM Records
- Record ID: The record ID as extracted from the levelDB record.
- Key: The key sent by the server to the FCM client application as extracted from the levelDB record value.
- Value: The value associated with this key, sent by the server to the FCM client application as extracted from the levelDB record value.
- Package Name: The name of the package associated with this record.
- Event Date/Time: The date and time when this event has been recorded.
Android FCM Instagram Notifications
- Record ID: The record ID as extracted from the levelDB record.
- Notification Type: The type of this notification.
- Notification: The notification details.
- Push Notification ID: The push notification ID.
- IG EndPoint: The Instagram EndPoint associated with this notification.
- Event Date/Time: The date and time when this event has been recorded.
Android FCM TikTok Notifications
- Record ID: The record ID as extracted from the levelDB record.
- Notification Type: The type of this notification.
- Notification: The notification details.
- Event Date/Time: The date and time when this event has been recorded.
Android FCM Twitter Direct Messages
- Conversation ID: The conversation ID that the message belongs to.
- Message Date/Time: The date/time when this message has been sent/received.
- Message Body: The body of the message.
- Recipient ID: Recipient ID.
- Recipient Profile Image URL: The URL for the recipient profile image.
- Recipient Bio: Recipient bio.
- Recipient User Name: Recipient user name.
- Recipient Full Name: The recipient's full name.
- Sender ID: Sender ID.
- Sender Profile Image URL: The URL for the sender profile image.
- Sender Bio: Sender bio.
- Sender User Name: Sender user name.
- Sender Full Name: The sender's full name.
Android FCM Twitter Topics
- Image URL: The image URL.
- Tweet Date/Time: The date/time when this tweet has been published.
- Text: The text of this tweet.
- Recipient ID: Recipient ID.
- Recipient Profile Image URL: The URL for the recipient profile image.
- Recipient Bio: Recipient bio.
- Recipient User Name: Recipient user name.
- Recipient Full Name: The recipient's full name.
- Sender ID: Sender ID.
- Sender Profile Image URL: The URL for the sender profile image.
- Sender Bio: Sender bio.
- Sender User Name: Sender user name.
- Sender Full Name: The sender's full name.
Android FCM Geo Locations
- Event Date/Time: The date and time when this event has been recorded.
- Latitude: The latitude associated with this location.
- Longitude: The longitude associated with this location.
- Location: This location information.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
