Investigating Window imo
10/03/2023 Friday
imo is an instant messaging platform similar to WhatsApp and Viber. The app initially gained popularity due to the video calls feature as it was one of the first instant messaging platforms to offer this feature. Nowadays, almost all of the instant messaging platforms allow its users to communicate via text, voice, video messages and calls freely as long as they have an active internet connection.
Digital Forensics Value of imo
Similar to other instant messaging apps, imo has millions of users worldwide performing all kinds of activities online. Thus, it is important to be able to analyze and view critical artifacts that will support digital forensic investigations. It is important to note that the windows version of the app does not support account creation. It can be considered as an interface to use the mobile version of the app.
Location of imo Artifacts
The artifacts can be found at the following location:
%systempartititon%\Users\%user%\AppData\Roaming\imo\
Analyzing imo with ArtiFast
This section will discuss how to use ArtiFast to extract imo from Windows and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select imo artifacts.
×
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window imo artifacts in ArtiFast.
imo Contacts Artifact
- Account State - Indicates whether the account is active or expired.
- BUID - The chat unique Identifier.
- Author Alias - The Name of the author of the message.
- Contact Display Name - The user’s display name.
- Icon - The user’s profile icon.
- Primitive - The user’s status.
- Contact Name - The user’s name.
- Is Buddy - Indicates whether this user is a friend with the account user.
- Is Blocked - Indicates whether this user is blocked by the account user.
- Last Message Content - The Content of the last message.
- Last Message Date - The date/time when the last message has been sent or received.
- Is Favorite - Indicates whether this user is marked as favorite by the account user.
- Is Muted - Indicates whether this user is muted by the account user.
- Group - The group’s BUID, if there is a group that both users are participants in.
- Last Message Type - Indicates whether the last message is sent or received.
- Last Message Author - The last message’s author, whether he is the account owner or this contact user.
- Last Message Acknowledged - Indicates whether the last message is acknowledged or not.
- Last Message Delivered - Indicates whether the last message was delivered to the receiver or not.
- Last Message Seen - Indicates whether the last message was seen by the receiver or not.
- Last Message Unread - Indicates whether the last message was read by the user or not.
- Last Message From Non Buddy - Indicates whether the last message was received from a non -buddy or not.
- Message Sender Date/Time - The date/time when the sender sent the last message.
imo Conversations Artifact
- Contact/Group Alias - The contact or group alias.
- BUID - The chat unique Identifier.
imo Stories Artifact
- Is Public - Indicates whether the stories is public or private.
- Object ID - The story’s object ID.
- Title - The title of the story.
- Description - The description for the story.
- Type - The story’s object type.
- Is Viewed - Indicates whether this story has been viewed by the user or not.
- Is Friend of Friends - Indicates whether the story is posted by a friend’s friend.
- Link - The link of the story’s object.
- BUID - The chat unique Identifier.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
