IM+ Blog

Investigating IM+

22/12/2020 Tuesday

IM+ is an instant messaging and audio/video calling application as well as a social networking platform. It provides multimedia file sharing, custom notifications, user status, and easily switching between platforms. IM+ supports multiple accounts per service and available for Windows, IOS, and macOS devices.

Digital Forensics Value of IM+ Artifacts

IM+ artifacts display information about the user, their activity, shared files, and the service that has been used. From a digital forensic perspective, it can provide us with a lot of resources that can be used as critical evidence. Tracking such information is essential throughout the digital analysis process.

Location of IM+ Artifacts

IM+ artifacts are located at the following locations:

%USERPROFILE%\AppData\Local\Packages\shapegmbh.implus_[XXXXXXXXXXXXX]\Account\Accounts.dat %USERPROFILE%\AppData\Local\Packages\shapegmbh.implus_[XXXXXXXXXXXXX]\Contact\Contacts.dat %USERPROFILE%\AppData\Local\Packages\shapegmbh.implus_[XXXXXXXXXXXXX]\Conversation\Conversations.dat %USERPROFILE%\AppData\Local\Packages\shapegmbh.implus_[XXXXXXXXXXXXX]\Messages\*.dat

Structure of IM+ Artifacts

IM+ data and information are stored in .dat files. These files contain information about the user's accounts, contacts, conversations and messages.

Analyzing IM+ Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze IM+ artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select IM+ artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of IM+ artifacts in ArtiFast software.

IM+ Accounts Artifact

Last Received Message Time in Sec - The last received message time in seconds.
Last Received Message ID - The Id of the last received message.
Account Name - Account name.
Refresh Token - The refresh token.
Public Status Message - Public status message.
Show External Contacts - Indicates whether the external contacts are enabled.
Is On - Indicates whether account is on.
Access Token - Account access token.
Phone Number - Account phone number.
Status - Account status (Online/Offline/Away).
Access Token Expired Count - The access token expired count.
Show On Mobile - Indicates whether show on mobile is enabled.
Resource - The account resource.
Login Name - Account login name.
Contact List Hash On Author Received - Indicates whether the contact list hash on author received is enabled.
Yahoo Connect Data - Indicates whether Yahoo connect data is enabled.
Show Offline - Indicates whether show offline is enabled.
Birthday - The account birthday.
Service - The account service.
Is contact List Hash Compared - Indicates whether the contacts list hash compared is enabled.
Registration State - The registration state (Registered/Not Registered).
Is Change Status In All Locations - If change status in all locations is enabled, value equal ‘true’ if not ‘false’.
Is contacts From Address Book - Indicates whether the contacts are from the address book.
Password - Account password.
Port - The account port.
SSL - Indicates whether the account is using SSL.
Gender - The gender of the account user.
Avatar Hash - The avatar hash.
Author Method - The author method.
Contact List Hash - The contact list hash.
Encoding - The account encoding.
Japan Server - Indicates whether the server is in Japan.
Priority - The account priority.
Enable History - Indicates whether the account history is enabled.
Country - The account country.
Last Modified Date - The date and time an account was last modified.

IM+ Contacts Artifact

Is Favorite - Indicates whether the contact is favorited.
Using Coefficient - The contact coefficient.
Is Our Status Visible - Indicates whether the user status is visible.
Avatar Hash - The avatar hash.
Contact ID - The contact ID.
Group - The contact group.
Group ID - The contact group ID.
Is Bot - Indicates whether the contact is a bot.
Logged-in User - The logged-in user account.
Nick - The account nickname.
Is Blocked - Indicates whether the user is blocked.
Service Name - The account service name.
Is enable Online Notifications - Indicates whether online notifications are enabled.
Last Seen - The contact last seen online.
Authorized - Indicates whether the contact is authorized.
Status - The contact status (Online/Offline/Away).
Unread Message Count - The contact Unread messages count.
Last Modified Date - The date and time the contacts were last modified.

IM+ Conversations Artifact

Contact Is Blocked - Indicates whether the contact is blocked.
ID - The contact ID.
Custom Status - The account status (Online/Offline/Away).
Contact Is Our Status Visible - Indicates whether the contact status is visible.
Contact Is Bot - Indicates whether the contact is a bot.
Contact Is Enabled Online Notifications - Indicates whether online notifications are enabled.
Contact Nick - The contact nickname.
Contact Status - The contact status (Online/Offline/Away).
Dialog ID - The dialog ID.
Contact is Favorite - Indicates whether the contact is favorited.
Service - Account service name.
Unread Message Count - The contact Unread messages count.
Display Name - The user display name.
Is Multi Chat - Indicates whether multi chat is enabled.
Multichat Topic - The Multichat topic.
Contact Avatar Hash - The contact avatar hash.
Contact Group ID - The contact group ID.
Is Empty Chat - Indicates whether the chat is empty.
Last Contact Seen - The contact last seen online.
Contact Unread Message Count - The contact Unread messages count.
Name - The contact’s name.
Contact Authorized - Indicates whether the contact is authorized.
Contact Group - The contact group.
Contact Using Coefficient - the contact coefficient.
Login - The contact logging email.
Last Modified Date - The date and time a conversation was last modified.

IM+ Messages Artifact