Blog >> iOS Facebook Messenger

Investigating iOS Facebook Messenger

25/11/2022 Friday

Facebook Messenger is a cross platform instant messaging application from Meta. Facebook Messenger is the main instant messaging application for Facebook, Instagram, Portal, and Oculus (yet to be released). The application provides users with the ability to exchange messages, media, files, and supports voice and video, These features available in private chats as well as group chats.

Digital Forensics Value of iOS Facebook Messenger

Meta (used to be known as Facebook), one of the most known social media platform products and service providers. Messenger is the main messaging application for Facebook, Instagram, two of the most used platforms, in additions to two other platforms yet to be released. The application is one of the most downloaded and used in its category which makes it an important source of information during investigations.

Location of iOS Facebook Messenger Artifacts

In the latest version of Messenger ( v 368.0.0 ), - the artifacts are stored in - the following path :
private\var\mobile\Containers\Shared\AppGroup\FE2EA7F6-A251-42A1-B17B-54D681C98C07\lightspeed-****.db

Whereas previously it was stored in the following location :
private\var\mobile\Containers\Shared\AppGroup\A7595D29-7E75-4EE0-9D42-29F19B95B275\Library\Application Support\lightspeed-userDatabases\ ****.db

**** Represents the user’s ID

Analyzing iOS Facebook Messenger Artifacts with ArtiFast

This section will discuss how to use ArtiFast to extract Facebook Messenger from iOS m and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select iOS Facebook Messenger artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS Facebook Messenger artifacts in ArtiFast.

iOS Facebook Messenger Messages Artifact

• Time - Date/Time message was sent.
• Sender Name - The name of the message sender.
• Message ID - The message ID.
• Thread Key - The thread key (ID).
• Admin Message - Indicates whether the message is Admin message.
• Sender ID - The message sender ID.
• Receiver ID - The message receiver ID.
• Unset - Indicates whether the message was unsent.
• Mention IDs - message mention IDs.
• Text - Message content.
• Is forwarded - Indicates whether the message was forwarded.
• Receiver name - Message receiver name.
• Attachment File Name - Attachment file name.

iOS Facebook Messenger Contacts Artifact

• Rank – Contact rank.
• Username - The contact username.
• Name – The contact’s name.
• Profile Picture URL - The contact profile picture’s URL.
• Is Messenger User – Indicates whether the contact is a messenger user.
• Contact ID - Contact ID.
• Last Name - Contact last name.
• First Name - Contact first name.

iOS Facebook Messenger Calls Artifact

• Time - Call date/time.
• Call Media Type - Indicates whether the call was a video or an audio call.
• Call State - Indicates the status of the call ( answer, declined, or missed).
• Call Direction - Indicates whether the call was an ingoing, or an outgoing call.
• Call Duration - The call duration in seconds.

iOS Facebook Messenger Rooms Artifact

• Room ID - The room ID.
• Owner ID - Room owner’s user ID.
• URL - Room’s URL.
• Name - The room name.
• Time - Call start time.
• Last Call Start Time - Last call start time.
• Last Call End Time - Last call end time.

iOS Facebook Messenger Attachments Artifact

• Time - Date/Time of the message.
• Sender Name - Sender name.
• Message ID - Message ID.
• Media Local Path - Media local path.
• Preview URL - Preview URL.
• Sender ID - Sender ID.
• Receiver ID - Receiver ID.
• Title Text - Title text.
• File name - The file name.
• Subtitle Text - The subtitle text.
• Has Media - Indicates whether the message has media.
• Receiver name - Message Receiver name.
• Media Type - The media type.
• Sent or Received Message/Attachment - Indicates the status of the attachment.
• Media URL - Media URL.
• File Size - The file size.
• Default Title - Title as it appears in the chat.

iOS Facebook Messenger Threads Artifact

• Time - Last activity timestamp.
• Thread Key - The thread key (ID).
• Thread Name - The thread name.
• Parent Thread Key - Parent thread key.
• Is Admin snippet - Indicates whether the message is Admin message.
• Has Pending Invitation - Indicates whether the thread contains a pending invitation.
• Snippet Sender Contact ID - Sender ID.
• Picture URL - The snippet’s picture URL.
• Participants - Thread participants user IDs’.
• Member count - Thread members count.
• Is Disappearing Mode - Indicates whether thread is in disappearing mode.
• Folder Name - Thread folder name.
• Mute Expire Date/Time - The mute expiration time in milliseconds.
• Description Text 1 - Description text 1.
• Description Text 2 - Description text 2.
• Description Text 3 - Description text 3.
• Snippet - The snippet.
• Draft Message - Draft message(s) if exist.
• Active Member - Active member(s) if exist.

For more information or suggestions please contact: ekrma.elnour@forensafe.com