Windows 10 Forensics Part 2: Facebook App Forensics
By Alex Parsons
One of the most used applications on all mobile platforms is the Facebook App. Released in 2013, the Facebook Windows application runs on all Windows 8.1 and Windows 10 devices. Below is a detailed analysis of the artifacts found in the Modern Facebook app (As of March 16th 2015) The app can be found in the app store Facebook App.
The file path for the Facebook databases are located a at: C:\Users\<PROFILENAME>\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\<FACEBOOK ID>\DB
Within the file structure of this application there are several SQLite databases which include:
These databases can be opened and viewed easily using the sqlitebrowser.
The analytics database contains some minor analytical information that Facebook uses to get app feedback. Information provided are items such as whether or not chat is enabled or what time the user last clicked on the messaging tab.
Friend Requests Database
This database contains all pending Facebook requests that the user has with the following attributes:
- Facebook UID
- Time the Friend request was made
- Whether the message has been read
- First and Last name
- Affiliations (Often found to be the school)
This database has every single friend stored on the application. In most cases it stores all friends; however on our test subject with over 600 friends, it only stored 593 of them. This database stores a plethora of information for each friend including the following:
- Facebook UID
- Contact Email
- Phone Number
- Profile URL
- If the user can receive Push notifications
- If the user has Facebook Messenger
- Communication Rating (Closest friends have higher ranks)
- Birthday Date
This database contains all messages that are still cached on the machine. These messages can be found in the messages table within the database, and contain the following attributes for each message. It is unknown how this database chooses which files to download, but some messages listed had timestamps before the applications was base. For this case, 3,477 messages were stored.
- Thread ID
- Sender with UID, Name & Email
- Source (Messenger or Web)
- Whether it has been read
- Local Timestamp
- Server Timestamp
- Geolocation Coordinates
- Attachment info
You will notice that the sender is listed, but not the receiver. To find the receiver, go to the threads db, and from there you can find the Thread ID listed earlier, and find the receiver’s Facebook ID in the “Senders column”. The Senders column lists all recipients of the conversation.
Below is a screenshot that shows a portion of the Messages database in SQLite, notice how there geolocation coordinates listed even though the devices used did not have a GPS sensor.
The notifications database handles all of the Facebook notifications. These are the notifications that pop up on Windows when a comment is made; someone “likes” your status, or any other notification which occurs on Facebook. One can get the following useful attributes from the notifications table:
- Notification ID
- Object Type (From Facebook stream, Event post, group post, birthday reminder etc.)
- Content of notification (“John Smith likes your status”)
- Facebook UID of the person who caused the notification
- Icon URL
- Whether it has been read
- Time in which it was updated
- Time in which the object was created
This database is where stickers are stored when they are sent or received by the user; this data can be useful when interpreting messages since the stickers are referenced only by their UID in the Messages database. The stickers table contains the UID of the stickers as well as a link to the sticker in reference.
The stories database is the database that stores what the user sees on their timeline. All of its attributes and actual stories are stored here. The stories database is the most useful table within the database since it contains the content and timestamps of the stories. The following attributes are stored in this table, along with others.
- Story ID
- If the story is Hidden
- Facebook Sub Type (Story, Following, Promoted)
- Attached Story ID
- If the viewer delete the post
- If the viewer can edit the post
- Creation Timestamp
- URL of story:
- Shareable metadata
- Title Metadata (Includes the text in the story)
- Icon Image URL
- Edit History
A plethora of Facebook data can be discovered from this artifact location including cached messages, friends lists, and news feeds. Even geolocation data is stored in this location regardless of whether or not the device has a GPS sensor. In conclusion, one can now find and analyze Facebook data from this Windows 8.1 application that runs on both Windows 8.1 and Windows 10.