Blog >> Microsoft Messaging

Investigating Microsoft Messaging

05/01/2021 Tuesday

Microsoft Messaging is an instant messaging platform in Windows 8, Windows 10, and Windows 10 mobile environments. It provides messaging and voice/video calling services. SMS, MMS, and RCS messaging are all supported on the web edition. SMS messages sent via Skype and billing SMS messages from an LTE operator are the only features available on the desktop version.

Digital Forensics Value of Microsoft Messaging Artifacts

In Microsoft Messaging artifacts provide data about calls, messages, contacts, media, and the information exchange between Windows and linked devices. Tracking such information is critical during the digital forensic analysis process and helps us understand the types of artifacts that are likely to remain for digital forensics investigators.

Location of Microsoft Messaging Artifacts

Windows 10: %AppData%\Local\Packages\Microsoft.Messaging_xxxxxxxxxxxxx\LocalState\<user id>\main.db

Structure of Microsoft Messaging Artifacts

The structure of Microsoft Messaging artifacts is an SQLite Database that contains multiple tables each with information regarding the users’ actions on the software.

Analyzing Microsoft Messaging Artifacts with ArtiFast Windows

This section will discuss how to use ArtiFast Windows to analyze Microsoft Messaging artifacts from Windows machines and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Microsoft Messaging artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Microsoft Messaging artifacts in ArtiFast software.

Microsoft Messaging Calls Artifact

• Host Identity - The host identity.
• ID - The user ID.
• Name - The username.
• Server Identity - The server identity.
• Duration - The call duration.
• Is Muted - Indicates whether the call is muted.
• Joined Existing - Indicates whether joined existing is enabled.
• Is On Hold - Indicates whether the call is on hold.
• Is Active - Indicates whether the call is active.
• Failure Code - The call failure code.
• Is Unseen Missed - Indicates whether the call is unseen missed.
• Topic - The call topic.
• Is Incoming - Indicates whether the call is Incoming.
• Is Permanent - Indicates whether the call is permanent.
• Sound Level - The call sound level.
• Quality Problems - the call quality problems.
• Video Disabled - Indicates whether the video is disabled.
• Active Members - The call active members.
• Is Conference - Indicates whether the call is a conference.
• Access Token - The call access token.
• PSTN Number - The call PSTN number.
• Begin Time - The time and date the call begun.

Microsoft Messaging Chats Artifact

• Topic XML - The chat topic XML.
• Last Change - The chat last change date and time.
• Name Text - Chat name text.
• Description - Chat description.
• Is Bookmarked - Indicates whether the chat is bookmarked.
• Banned Users - Chat banned users.
• Adder - The chat adder.
• Guidelines - The chat guidelines.
• Name - Chat name.
• Activity Time - Chat activity time.
• Password Hint - Chat password hint.
• Friendly Name - Chat friendly name.
• DB Path - Chat database path.
• Participants - Chat participants.
• Applicants - Chat applicants.
• Active Members - Chat active members.
• Topic - The chat topic.
• Chat Time - The chat date and time.

Microsoft Messaging Contacts Artifact

• Assigned Phone 1 - Assigned phone 1.
• Assigned Phone 2 - Assigned phone 2.
• Assigned Phone 3 - Assigned phone 3.
• Birthday - Contact birthday.
• City - Contact city.
• Country - Contact country.
• Display name - Contact display name.
• Emails - Contact emails.
• First Name - Contact user first name.
• Last Name - Contact user last name.
• Full Name - Contact user full name.
• Gender - Contact gender.
• Hashed Emails - Contact user hashed Emails.
• Home Page - Home page.
• Is Blocked - Indicates whether the contact is blocked.
• Is Mobile - Indicates whether it is mobile.
• Is Trusted - Indicates whether the contact is trusted.
• Languages - The contact languages.
• Main Phone - Contact main phone.
• Mood Text - Mood text.
• Phone Home - Contact home phone.
• Phone Mobile - The contact mobile phone.
• Phone Office - Phone office.
• Profile Timestamp - Profile timestamp.
• Province - Province.
• PSTN Number - PSTN number.
• Rich Mood Text - Rich mood text.
• Skype Name - Skype name.
• Timezone - Time zone.
• Last Modified - Database last modified date and time.

Microsoft Messaging Messages Artifact

• XML Body - The message XML body.
• Author - The message author.
• Identities - The message identities.
• Chat Name - Chat name.
• Edit Time - The date and time when the message was edited.
• Send Time - The date and time when the message was sent.
• From (Display Name) - The sender display name.
• Author Was Live - Indicates whether the author was live.
• Participant Count - The message participant count.

Microsoft Messaging SMSes Artifact

• Target Numbers - The SMS target numbers.
• Price Precision - The SMS price precision.
• Body - SMS body content.
• Is Failed Unseen - If the SMS is failed unseen, value equal ‘yes’ if not ‘no’.
• Status - SMS status.
• Identity - SMS identity.
• Failure Reason - SMS failure reason.
• Price Currency - The SMS price currency.
• Target Statuses - The SMS target statuses.
• Reply To Number - The SMS reply to number.
• Outgoing Reply Type - The SMS outgoing reply type.
• Reply Id Number - The SMS reply Id number.
• SMS Type - SMS type.
• Price - SMS price.
• Send Time - The SMS send date and time.

Microsoft Messaging Transfers Artifact

• File Name - The file name.
• Start Time - The file transfer start date and time.
• Finish Time - The file transfer finish date and time.
• Accept Time - The file transfer accept time.
• Partner Handle - The file transfer partner handle.
• Byte per Second - Number of bytes transferred per second.
• Partner Display Name - The partner display name.
• File Size - The file size in bytes.
• Bytes Transferred - The number of bytes transferred.
• File Path - The transferred file path.

Microsoft Messaging Video Messages Artifact

• Description - The video message description.
• Title - The video message title.
• Author - The video message author.
• Public Link - The video message public link.
• Video Message Type - The video message type.
• Video Path - The video message path.
• Local Path - The video local path.
• Creation Time - Video message creation time.

Microsoft Messaging Videos Artifact

• Media Type - The media type.
• Duration VGAD2 - The media duration VGAD2.
• Device Name - The device name.
• Duration 720 - The media duration 720.
• Duration HQV - The media duration HQV.
• Duration LTVGAD2 - The media duration LTVGAD2.
• Duration 1080 - The media duration 1080.
• Status - The video status.
• Device Path - The device path.
• Dimensions - The media dimensions.
• Video Time - The video date and time.