Blog >> Android Instagram

Investigating Android Instagram

29/12/2023 Friday

Instagram application, owned by Meta Platforms (formerly Facebook), is a widely used social media platform that provides various forms of communication. Instagram allows users to exchange diverse types of content, including text, videos, contact information, and audio messages. It provides a versatile platform for sharing and engaging with others. This application is accessible across multiple operating systems such as Windows, macOS, Linux, Android, and iOS, enabling users to connect and interact seamlessly across different devices.

Digital Forensics Value of Android Instagram

Instagram artifacts on Android devices contain valuable information such as call logs, messages, and app configuration data. The app stores chat history on the device itself, and the Instagram cloud. This information is crucial for forensic analysis as it helps investigators identify information related to users, and messages, and further build a timeline of events.

Location and Structure of Android Instagram Artifacts

Android Instagram artifact records are saved in different files under the application data file in the Android system. The messages and call artifacts are saved in an SQLite format in the database, which can be located at the following locations:
data/user/0/com.instagram.android/databases/direct.db
User preferences and contacted profiles related artifacts are saved in XML files in the following locations:
data/user/0/com.instagram.android/shared_prefs/9368974384_usersBootstrapService.xml
data/user/0/com.instagram.android/shared_prefs/9368974384_USER_PREFERENCES.xml

Analyzing Android Instagram Artifacts with ArtiFast

This section will discuss using ArtiFast to extract Android Instagram artifact from Android device's files and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Instagram artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Instagram artifact in ArtiFast.

Android Instagram Messages

• Message Date/Time: The date and time when the message was sent.
• Conversation Key: Conversation ID.
• Recipient Name: Message recipient name.
• Sender Name: Message sender name.
• Unread: Indicates whether the message was unread.
• Description: Description.
• Sender ID: Sender ID.
• Receiver ID: Receiver ID.
• Text: Message body.
• Is Hidden in The Conversation: Indicates whether the message was deleted.
• Message Status: Message status.

Android Instagram Media Messages

• Message Date/Time: The date and time when the message was sent.
• Media Publish Time: The date and time when the media message was published.
• Conversation Key: Conversation ID.
• Media Publisher User Name: Media Publisher User Name.
• Media ID: Media ID.
• Media Original Width: Media Original Width.
• Media Original Height: Media Original Height.
• Media URL: Media URL.
• Recipient Name: Message recipient name.
• Sender User Name: Message sender name.
• Unread: Indicates whether the message was unread.
• Description: Description.
• Sender ID: Sender ID.
• Receiver ID: Receiver ID.
• Text: Message body.
• Is Hidden in The Conversation: Indicates whether the message was deleted.
• Message Status: Message status.

Android Instagram Conversations

• Time: Last activity date and time.
• Inviter Name: The inviter user’s name.
• Is Conversation Pending: Indicate whether the conversation is pending or not.
• Recipients: Conversation participants’ names.
• Is Conversation Named: Indicate whether the conversation is named or not.
• ID: Conversation ID.
• Last Message Send Time: Last message’s send time and date.
• Last Message Sender Name: Last message’s sender name.

Android Instagram Contacts

• User Name: The contact’s user name.
• Full Name: The contact’s full name.
• Phone Number: The contact’s phone number.
• Profile Picture URL: Contact’s profile picture URL.
• Followers Count: Count of followers.
• Following Count: Count of following profiles.
• Profile Privacy Status: Indicate the profile privacy status (Public\Private).
• Is User Blocked: Indicate whether the user is blocked or not.
• Post Count: Contact’s post count.

Android Instagram Call Events

• Time: Call start date and time.
• End Time: Call end date and time.
• Conversation Key: Conversation ID.
• Is Voice Call: Indicates whether the Call was a voice or video call.
• Is Joined: Indicates whether the Call was joined or missed.
• Call Description: Description.
• Sender ID: Caller ID.
• Receiver ID: Callee ID.
• Is Hidden in The Conversation: Indicates whether the message was deleted.

Android Instagram User Preference

• Time: File last modification date and time.
• Device Info Last Reported Time: Device information last report time.
• Last Posted Story Item Type: The type of the last shared story.
• Is Story Prefetch Allowed: Indicates whether Story Prefetch is Allowed.
• Is Allowing Feed Stories Fetch: Indicates whether Feed Stories fetch is Allowed.
• Is Main Feed Media Prefetch Allowed: Indicates whether Main Feed Media Prefetch is Allowed.
• Does User Have Saved Media: Indicates whether the user Has Saved Media.
• Current Ad ID: Current Ad ID.
• Receiver ID: Callee ID.
• Is Hidden in The Conversation: Indicates whether the message was deleted.

For more information or suggestions please contact: ekrma.elnour@forensafe.com