Blog >> Android Facebook Messenger

Investigating Android Facebook Messenger

29/09/2023 Friday

Facebook Messenger is a cross platform instant messaging application from Meta. Facebook Messenger is the main instant messaging application for Facebook, and Instagram. The application provides users with the ability to exchange messages, media, files, and supports voice and video, These features available in private chats as well as group chats.

Digital Forensics Value of Android Facebook Messenger

Android Facebook Messenger is a treasure trove for forensic analysts, brimming with valuable artifacts like accounts, activities, shared files, calls, messages, and media. This wealth of information can make play an important role in digital forensics investigations; where it can help identifying people, location and more.

Location of Android Facebook Messenger Artifacts

Android Facebook Messenger artifacts can be found at the following location:
data/user/0/com.facebook.orca/databases/threads_db2

Analyzing Android Facebook Messenger Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Facebook Messenger from Android device and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Android Facebook Messenger artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android Facebook Messenger artifacts in ArtiFast.

Android Facebook Messenger Messages Artifact

• Time - Date/Time message was sent.
• Sender Name - The name of the message sender.
• Message ID - The message ID.
• Thread Key - The thread key (ID).
• Admin Message - Indicates whether the message is Admin message.
• Sender ID - The message sender ID.
• Receiver ID - The message receiver ID.
• Unset - Indicates whether the message was unsent.
• Mention IDs - message mention IDs.
• Text - Message content.
• Is forwarded - Indicates whether the message was forwarded.
• Receiver name - Message receiver name.
• Attachment File Name - Attachment file name.

Android Facebook Messenger Contacts Artifact

• Rank – Contact rank.
• Username - The contact username.
• Name – The contact’s name.
• Profile Picture URL - The contact profile picture’s URL.
• Is Messenger User – Indicates whether the contact is a messenger user.
• Contact ID - Contact ID.
• Last Name - Contact last name.
• First Name - Contact first name.

Android Facebook Messenger Calls Artifact

• Time - Call date/time.
• Call Media Type - Indicates whether the call was a video or an audio call.
• Call State - Indicates the status of the call ( answer, declined, or missed).
• Call Direction - Indicates whether the call was incoming, or outgoing.
• Call Duration - The call duration in seconds.

Android Facebook Messenger Rooms Artifact

• Room ID - The room ID.
• Owner ID - Room owner’s user ID.
• URL - Room’s URL.
• Name - The room name.
• Time - Call start time.
• Last Call Start Time - Last call start time.
• Last Call End Time - Last call end time.

Android Facebook Messenger Attachments Artifact

• Time - Date/Time of the message.
• Sender Name - Sender name.
• Message ID - Message ID.
• Media Local Path - Media local path.
• Preview URL - Preview URL.
• Sender ID - Sender ID.
• Receiver ID - Receiver ID.
• Title Text - Title text.
• File name - The file name.
• Subtitle Text - The subtitle text.
• Has Media - Indicates whether the message has media.
• Receiver name - Message Receiver name.
• Media Type - The media type.
• Sent or Received Message/Attachment - Indicates the status of the attachment.
• Media URL - Media URL.
• File Size - The file size.
• Default Title - Title as it appears in the chat.

Android Facebook Messenger Threads Artifact

• Time - Last activity timestamp.
• Thread Key - The thread key (ID).
• Thread Name - The thread name.
• Parent Thread Key - Parent thread key.
• Is Admin snippet - Indicates whether the message is Admin message.
• Has Pending Invitation - Indicates whether the thread contains a pending invitation.
• Snippet Sender Contact ID - Sender ID.
• Picture URL - The snippet’s picture URL.
• Participants - Thread participants' user IDs’.
• Member count - Thread members count.
• Is Disappearing Mode - Indicates whether the thread is in disappearing mode.
• Folder Name - Thread folder name.
• Mute Expire Date/Time - The mute expiration time in milliseconds.
• Description Text 1 - Description text 1.
• Description Text 2 - Description text 2.
• Description Text 3 - Description text 3.
• Snippet - The snippet.
• Draft Message - Draft message(s) if exist.
• Active Member - Active member(s) if exist.

For more information or suggestions please contact: ekrma.elnour@forensafe.com