Facebook Messenger Windows

Investigating Facebook Messenger Windows Application

31/08/2021 Tuesday

Facebook Messenger is an Instant Messaging (IM) service, and it ranks second among the most popular social network platforms. With more than one billion daily active users on average, it is a rich platform for investigators.

Digital Forensics Value of Facebook Messenger Artifacts

Facebook Messenger Windows application artifacts keep information like messages, conversations, participants, users contacted, shared images, transferred files, location, voice calls, and video calls along with timestamps recording each performed action. This wealth of data can help investigators with uncovering the details of a suspect’s actions.

Location of Facebook Messenger Artifacts

ArtiFast supports Facebook Messenger new and old structure. For the newer version, Facebook Messenger Windows application stores its user generated files at the following location: C:\Users\%username%\AppData\Local\Packages\FACEBOOK.317180B0BB486_8xx8rvfyw5nnt

For the older versions:
C:\Users\%username%\AppData\Local\Packages\Facebook.317180B0BB486_8xx8rvfyw5nnt\LocalState\osmeta_cache\groupcontainer-group.com.facebook.Messenger\_store_DB454929-7BCD-42B5-B105-ED95063B0D98\ messenger_messages.v1

Structure of Facebook Messenger Artifacts

The structure of the Facebook Messenger Windows application artifacts is an SQLite Database that contains multiple tables each with information regarding the users’ actions on the software.

Analyzing Facebook Messenger Artifacts with ArtiFast Windows

This section discusses how to use Artifast Windows to extract Facebook Messenger artifacts from Windows machines and what kind of digital forensic insights can be gained from the artifacts.

After you have created your case and added evidence for the investigation at the Artifact Parser Selection Phase, you can select Facebook Messenger artifacts:

ArtiFast can analyze Facebook Messenger text messages, threads, thread participants, users contacted, cashed data, attachments, shared locations, calls, and self profiles, and cached images and messages from the older versions. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, they can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Facebook Messenger artifacts in ArtiFast software.

Facebook Messenger Text Messages Artifact

This artifact contains various types of messages input by the user or the application, these messages indicate that an activity either has happened or is happening within a conversation. These can include text messages, voice notes, gifs, stickers, pictures, videos, documents, sending location, sharing live location, voice calls, video calls, messenger rooms, changing a user's nickname, changing chat theme, someone joining the call and when the call has ended. The details you can view in Facebook messenger text messages artifact include:

Message ID - Message ID.
Offline ID - Offline Threading ID.
Text - Message Text.
Sender ID - User ID of the person sending the message.
Sticker ID - Unique ID for a sticker.
Is Admin Message - Whether the message was generated from the app itself.
Send Status - Sent message status.
Is Unsent - Whether the message was deleted or not.
Cannot Unsend Reason - Shows the possible reasons for not being able to delete a message.
Unsent Date/Time - Th date and time when a message got unsent.
Displayed Content Types - Displayed Content Types.
Sent Date/Time - The date and time message was sent.

Facebook Messenger Threads Artifact

Facebook Messenger Threads are the conversation that the messages are associated with. The details you can view include:

Thread Key - Unique key for each user thread.
Thread Type - Thread Type.
Description - Thread description.
Location - Description of thread user location.
Is Group - Whether this is a group thread.
Snippet - Last text message in chat.
Snippet Sender ID - Snippet sender contact ID.
Last Read Date/Time - Date and time last message was read.
Number of Attachments - Number of attachments in the thread.
Has More Attachments Before - Has more attachments before.
Last Activity Date/Time - Date and time last message was sent.

Facebook Messenger Thread Participant Artifact

This artifact contains the details of the individual chat thread for each user. The details you can view include:

Thread Key - Unique key for each user thread.
Contact ID - Participant unique ID.
Nickname - Participant assigned name.
Name - Participant name.
Profile Picture URL - URL of the user’s profile picture.
Is Messenger User - Whether the user is using Facebook Messenger.
Is Blocked - Whether the user is blocked.
Can Receive Messages - Whether the user can receive messages.
Rank - Participants rank within the app.
Delivered Date/Time - Date and time last message was delivered.
Read Date/Time - Date and time last message was read.

Facebook Messenger Users Contacted Artifact

Facebook Messenger Users Contacted contains information about users contacted from using Facebook Messenger. The details you can view include:

Last Active Date/Time - Date and time contacted user was last active.
User ID - Contacted user ID.
Name - Contact name.
Profile Picture URL - URL of the user’s profile picture.
Is Messenger User - Whether the user is using Facebook messenger.
Can Receive Messages - Whether the user can receive messages.
User Relationship - User relationship with account owner.
Status - User status.
Rank - User rank within the app.

Facebook Messenger Cached Data Artifact

This artifact represents the Facebook Pictures artifact found and can be recovered on the system that originated from Facebook itself. These pictures can be user profile pictures, friends' pictures, or any other picture that gets cached while browsing Facebook. The details you can view in Facebook messenger cached data include:

Creation Date/Time - The date and time when the cached entry was created.
Cache Entry Last Used Date/Time - The date and time when the cached entry was last used.
Cache Entry Last Modified Date/Time - The date and time when the cached entry was last modified.
Reuse Count - The number of times the use used the cache file.
State - The state of the cache file.
Key - The cache entry key.
Content Size - The size of the cache file.
Content Type - The type of cache file.
File Name - Represents the cache file name.
Payload - Indicates the cache storage location.
Is Dirty - Indicates whether is dirty or not.
Refetch Count - Indicates the number of times the cached entry was refetched.
Long Key Data - Cache long key data.
HTTP Content - HTTP header contents.

Facebook Messenger Attachments Artifact

This artifact includes the data of every type of attachment and its related information, such as, pictures, videos, GIFs, audio calls, video calls, and messenger rooms. The details you can view include:

Sent Date/Time - Date and time when the attachment was sent.
Thread Key - A unique numerical key for each user thread.
Message ID - Internal unique message ID.
Offline Attachment ID - Offline attachment sending ID.
Attachment Facebook ID - Unique ID for each Facebook attachment.
Attachment Type - Attachment type.
File Name - The name of the sent attachment.
File Size - The size of the sent attachment.
Has Media - Represents whether the sent attachment has a media file.
Playable URL - The URL for the sent attachment.
Mime Type - Attached file type.
Preview URL - The preview link for the sent attachment.
Title Text - The title that is written on the attachment in chat.
Subtitle Text - The subtitle that is written on the attachment in chat.
Default CTA ID - The CTA attachment default ID.
Default CTA Title - The CTA attachment title.
Default CTA Type - The CTA attachment type.

Facebook Messenger Shared Locations Artifact

Facebook Messenger Shared Locations includes all the shared location data recovered from Facebook Messenger. The details you can view include:

CTA ID - The CTA attachment default ID.
Entry Facebook ID - A unique ID for Facebook shared location entry.
Thread Key - A unique numerical key for each user thread.
Message ID - Internal unique message ID.
Title - The location message title.
Action URL - The shared location map view URL.
Native URL - The latitude & longitude of the sent address.

Facebook Messenger Calls Artifact

Facebook Messenger Calls contains the call data recovered from Facebook Messenger. The details you can view include:

CTA ID - The CTA attachment default ID.
Call Facebook ID - A unique ID for each Facebook item.
Thread Key - A unique numerical key for each user thread.
Message ID - Internal unique message ID.
Title - The call title.
Type - The call title.
Call Direction - Call direction.

Facebook Messenger Self Profile Artifact

The Facebook Messenger Self Profile represents the main user account profile data. The details you can view include:

User ID - A unique numerical key for each user thread.
Birthday - The birth date of the user.
State - The state the user is living in.
Zip Code - The zip code the user is living in.
Phone Number - The user phone number.
Email Address - The user email address.

Facebook Messenger Cached Images Artifact

This artifact contains information about Facebook Messenger Windows App cached images. The details you can view include:

Last Access Date/Time - The date and time when the cached image was last accessed.
Modification Date/Time - The date and time when the cached image was last modified.
File Name - Cached image file name.
File Size - Cached image file size.
Image Path - Image Path.

Facebook Messenger Messages Artifact

This artifact contains information about Facebook Messenger Windows Messages. The details you can view include: