Blog >> Android GroupMe

Investigating Android GroupMe

03/02/2023 Friday

GroupMe is a cross platform instant messaging application available on both Android and iOS. The app has various features enabling users to create and manage groups, share information and updates, schedule events, polls, and surveys. Additionally, the app gives users the ability to share their location and make voice and video calls. GroupMe also offers a wide range of customized options for personalizing the user experience.

Digital Forensics Value of GroupMe

GroupMe keeps records of user’s activities stored locally on the device such as the accounts that the local user has logged in with on the device, the messages sent and received by the local user, details related to groups, contacts and more. This data can be helpful during a digital analysis to determine the connection between individuals, the timing and location of communications and so on.

Location of GroupMe Artifacts

GroupMe artifacts are found in the following location:
data/com.groupme.android/databases/groupme.db
data/com.groupme.android /app_webview/Default/Cookies
data/com.groupme.android/databases/tray.db

Analyzing GroupMe with ArtiFast

This section will discuss how to use ArtiFast to extract GroupMe from Android and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select GroupMe artifacts.

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Android GroupMe artifacts in ArtiFast.

Android GroupMe Contacts Artifact

• Date - The date and time the user was added.
• Avatar URL - The URL of the profile picture.
• Display Name - Username.
• User ID - User unique identifier.

Android GroupMe Messages Artifact

• Date - The date and time the when the message was sent.
• Sender ID - Message sender ID.
• Sender Name - Message sender name.
• Members Recipient ID(s) - Message recipient (s) ID(s).
• Recipient Name(s) - Message recipient name(s).
• Message - Message content.
• Location - The name of the location sent with the message.
• Deletion Actor - Indicates whether the message was deleted.
• Deletion Time/Date - The date and time when the message was deleted if deleted.
• Conversation ID - The conversation ID.
• Latitude - The latitude of the location sent with the message.
• Longitude - The longitude of the location sent with the message.
• Event - The event sent with the message.
• Poll - The poll details sent with the message.
• Document Title - The document details sent with the message.
• Video URL - The URL to the video associated with the message.
• Photo URL - The URL to the photo associated with the message.
• Made Favorite By - The user ID(s) of the users who favored the message.

Android GroupMe Groups Artifact

• Date - The date and time when the group was updated.
• Group ID - The group ID.
• Group Name - Name of the group.
• Group Type - The type of the group.
• Group Member Role - The roles of all of the group's members.
• Creator ID - The identifier of the group creator.
• Group Picture URL - The URL of the group picture.
• Group Member Names - The names of all of group's members.
• Group Topic - The description (topic) of the group.
• Group Member ID - The IDs of all of the group's members.
• Created Date/Time - The date and time when the group was created.

Android GroupMe Accounts Artifact

• Date - The date and time when the local user logged on the device.
• Display Name - The name of the local User.
• User ID - User unique identifier.
• Email Address - User email address.
• Access Token/Password - Local user access token/password.
• Profile Picture URL - URL of the profile picture of the local user.
• Phone Number - Phone number of the local user.

Android GroupMe Cookies Artifact

• Last Access Time - The date and time when the cookie was last accessed.
• Created Time - The date and time when the cookie was created.
• Host - The domain of the cookie.
• Name - The name of the cookie.
• Value - The value of the cookie.
• Path - The path of the cookie value.
• Expiration Date/Time - The date and time when the cookie will expire.
• Is Secure - Indicates whether the cookie is secure.
• Is HttpOnly - Indicates whether the cookie is using HTTP only.

For more information or suggestions please contact: ekrma.elnour@forensafe.com