Discord Blog

Investigating Discord

16/02/2021 Tuesday

Discord is very popular among gamers for its user-friendly features, high performance and ease of use. It has generated so much praise that even if you are not a "true gamer," you might be familiar with the platform. Although Discord was initially centered around games and gamers, the platform has also gained popularity among the general public creating interest communities around education, art, business, and many others.

The platform is available on desktop (Windows, macOS and Linux), mobile (Android and iOS), and via web browsers. Discord communities are organized into "servers" by topic or event, with each server containing multiple "channels." Discord offers users the ability to communicate with voice, video, text chat and share files and media in private or public through its servers.

Digital Forensics Value of Discord Artifacts

Discord announced that the platform has over 250 million registered users worldwide, with more than 100 million monthly active users. With this large user base, it is important to be able to analyze and view critical artifacts that will support digital forensic investigations. Discord artifacts retain information like usernames, IDs, timestamps, chats, call records and other valuable information that can be vital when conducting investigations.

Location of Discord Artifacts

Similar to other Windows applications, Discord stores user generated files at C:\Users\%username%\AppData\Roaming\discord\Cache

Structure of Discord Artifacts

Discord stores user related data in the cache folder which has the same storage structure as Google Chrome Cache. Discord artifacts are stored within the cache folder in JSON files.

Analyzing Discord Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast Windows to extract and analyze Discord artifacts from Windows machines and what kind of digital forensic insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Discord Artifacts:

ArtiFast can analyze Discord Messages, Calls, Relationships and Viewed Accounts. For demonstration purposes, all four artifacts have been chosen, however, you have the option to select one or more artifacts as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the Discord artifacts in ArtiFast software.

Discord Calls Artifact

This artifact contains information related to the calls made using Discord. The details you can view include:

Call Start Date/Time - The date and time when the call was initiated.
Call End Date/Time - The date and time when the call ended.
Caller Username - The username of the caller. Multiple users can share the same username.
Receiver Username - The username of the call receiver.
Call ID - The ID of the call, each call has a unique ID.
Channel ID - The ID of the channel where the call occurred.
Caller ID - The ID of the caller, each user has a unique ID.
Receiver ID - The ID of the call receiver.
Call Participants IDs - The IDs for all call participants.
Caller Tag - The tag is a 4-digit number displayed next to the user's username after a #. This is how Discord differentiates between users with the same username. Discord tags range from 0001 to 9999 and are randomly assigned.
Receiver Tag - 4-digit number associated with the receiver's username.

Discord Messages Artifact

This artifact contains information about messages sent and received using Discord. The details you can view include:

Message Sent Date/Time - The date and time when the message was sent.
Last Edited Date/Time - If the message has been edited, then this attribute indicates the date and time when the last edit has occurred.
Message ID - The ID of the message, each message has a unique ID.
Message - The message content.
Channel ID - The ID of the channel that the message was sent in.
Sender ID - The ID of the sender.
Sender Username - The username of the message sender.
Sender Tag - 4-digit number associated with the sender's username.
Attachment Name - If the message has an attachment, then this attribute indicates the file name of the attachment. Additionally, if a file was marked/tagged as a spoiler, the name of the filename will change to "SPOILER_filename".
Attachment Size - The size of the attachment in bytes.
Attachment URL - The saved URL of the attachment.
Embedded Message Type - Indicates the type of the embedded message (link, gif, article, etc.).
Embedded Content Title - If the message contains a link, then this attribute indicates the title displayed in the link preview.
Embedded Content Description - The description displayed in the link preview.
Pinned - Indicates whether the message is pinned or not.
Pinned Date/Time - If the message has been pinned, then this attribute indicates the date and time when the message was pinned.
Mentioned Account ID - The ID of the mentioned account.
Mentioned Account Username - The username of the mentioned account.
Mentioned Account Tag - 4-digit number associated with each mentioned account.

Discord Relationships Artifact

As the name indicates, this artifact contains a list of all user's relationships. The details you can view include:

Username - The username of the user.
Relationship Status - The type of the relationship (friends, blocked account or pending friend request).
User ID - The ID of the user.
User Tag - 4-digit number associated with the username.

Discord Viewed Accounts Artifact

This artifact contains information of all viewed accounts. The details you can view include: