Blog >> Facebook Messenger Windows

>

Investigating Facebook Messenger Windows Application

31/08/2021 Tuesday

Facebook Messenger is an Instant Messaging (IM) service, and it ranks second among the most popular social network platforms. With more than one billion daily active users on average, it is a rich platform for investigators.


Digital Forensics Value of Facebook Messenger Artifacts


Facebook Messenger Windows application artifacts keep information like messages, conversations, participants, users contacted, shared images, transferred files, location, voice calls, and video calls along with timestamps recording each performed action. This wealth of data can help investigators with uncovering the details of a suspect’s actions.


Location of Facebook Messenger Artifacts


ArtiFast supports Facebook Messenger new and old structure. For the newer version, Facebook Messenger Windows application stores its user generated files at the following location: C:\Users\%username%\AppData\Local\Packages\FACEBOOK.317180B0BB486_8xx8rvfyw5nnt

For the older versions:
C:\Users\%username%\AppData\Local\Packages\Facebook.317180B0BB486_8xx8rvfyw5nnt\LocalState\osmeta_cache\groupcontainer-group.com.facebook.Messenger\_store_DB454929-7BCD-42B5-B105-ED95063B0D98\ messenger_messages.v1


Structure of Facebook Messenger Artifacts


The structure of the Facebook Messenger Windows application artifacts is an SQLite Database that contains multiple tables each with information regarding the users’ actions on the software.


Analyzing Facebook Messenger Artifacts with ArtiFast Windows


This section discusses how to use Artifast Windows to extract Facebook Messenger artifacts from Windows machines and what kind of digital forensic insights can be gained from the artifacts.

After you have created your case and added evidence for the investigation at the Artifact Parser Selection Phase, you can select Facebook Messenger artifacts:




ArtiFast can analyze Facebook Messenger text messages, threads, thread participants, users contacted, cashed data, attachments, shared locations, calls, and self profiles, and cached images and messages from the older versions. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.



Once ArtiFast parser plugins complete processing artifacts for analysis, they can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Facebook Messenger artifacts in ArtiFast software.


Facebook Messenger Text Messages Artifact

This artifact contains various types of messages input by the user or the application, these messages indicate that an activity either has happened or is happening within a conversation. These can include text messages, voice notes, gifs, stickers, pictures, videos, documents, sending location, sharing live location, voice calls, video calls, messenger rooms, changing a user's nickname, changing chat theme, someone joining the call and when the call has ended. The details you can view in Facebook messenger text messages artifact include:


Facebook Messenger Threads Artifact

Facebook Messenger Threads are the conversation that the messages are associated with. The details you can view include:


Facebook Messenger Thread Participant Artifact

This artifact contains the details of the individual chat thread for each user. The details you can view include:


Facebook Messenger Users Contacted Artifact

Facebook Messenger Users Contacted contains information about users contacted from using Facebook Messenger. The details you can view include:


Facebook Messenger Cached Data Artifact

This artifact represents the Facebook Pictures artifact found and can be recovered on the system that originated from Facebook itself. These pictures can be user profile pictures, friends' pictures, or any other picture that gets cached while browsing Facebook. The details you can view in Facebook messenger cached data include:


Facebook Messenger Attachments Artifact

This artifact includes the data of every type of attachment and its related information, such as, pictures, videos, GIFs, audio calls, video calls, and messenger rooms. The details you can view include:


Facebook Messenger Shared Locations Artifact

Facebook Messenger Shared Locations includes all the shared location data recovered from Facebook Messenger. The details you can view include:


Facebook Messenger Calls Artifact

Facebook Messenger Calls contains the call data recovered from Facebook Messenger. The details you can view include:


Facebook Messenger Self Profile Artifact

The Facebook Messenger Self Profile represents the main user account profile data. The details you can view include:


Facebook Messenger Cached Images Artifact

This artifact contains information about Facebook Messenger Windows App cached images. The details you can view include:


Facebook Messenger Messages Artifact

This artifact contains information about Facebook Messenger Windows Messages. The details you can view include: