autopsy icon indicating copy to clipboard operation
autopsy copied to clipboard

Published 20 hours ago verified publisher icon sleuthkit

Create parser for Windows 10 facebook app

Open bcarrier opened this issue 9 years ago • 7 comments

The Facebook app on Windows 10 uses SQLIte databases to store user info. An Autopsy ingest module could parse those databases and create associated artifacts.

See http://computerforensicsblog.champlain.edu/2015/04/01/windows-10-facebook-forensics/

bcarrier avatar Jun 10 '16 20:06 bcarrier

Hi

I'd like to implement this project and I tried to find the SQlite file, but directory seem to be changed and those database files like Friends.sqlite are removed, I can't find them. Did I find a wrong director? Or Facebook changed the directory in different directory. This is the offical directory: C:\Users<PROFILENAME>\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState<FACEBOOK ID>\DB Here is the directory I try to find files: C:\Users<PROFILENAME>\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState<FACEBOOK ID> and there is not " DB" directory

Best x5sh1

x5sh1 avatar Nov 15 '16 13:11 x5sh1

@x5sh1 could you be able to find where does facebook app stores db files becuase i also have same problem, i don't have thos DB folder under localstate??

githubuserSD avatar Apr 12 '18 15:04 githubuserSD

Check this out and see if it helps get you started:

File Location: C:\Users\markm\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\AppData\Local\osmeta_store_2E46DF56-98EF-484C-9BFE-0430CFD7857B\messenger_contacts.v1\fbsyncstore.db

select display_name, first "First_Name", Last "Last_Name", username "User_Name", username_normalized "User_Name_Normalized", is_friend, has_messenger, DateTime(added_Time, 'unixepoch') "DTTM_Added", DateTime(messenger_install_time, 'unixepoch') "Messenger_Install_DTTM", profile_pic_url from people a, profile_pic_urls b where a.person_id = b.person_id;

select DateTime(last_contacts_sync_time, 'unixepoch') from app_state

markmckinnon avatar Apr 13 '18 19:04 markmckinnon

Has this been implemented yet? I am working on this for a Digital Forensics class project and would like to submit my solution.

-Marcus

mcoates1 avatar May 12 '18 20:05 mcoates1

I have one written for Facebook people database as well as chat but have not published it yet. If you want to contact me about this we can compare what each has done.

Mark

markmckinnon avatar May 12 '18 21:05 markmckinnon

Oh yea, sorry i stopped working on facebook artifacts from 2 weeks but now i will be back to work on it. To be honest i didnt try yet your first solution but when i research on facebook I could find one database called like graphs and it has some facebook urls in it Could u find it out before ???

Sent from my iPhone

On 13 May 2018, at 00:43, Mark McKinnon [email protected] wrote:

I have one written for Facebook people database as well as chat but have not published it yet. If you want to contact me about this we can compare what each has done.

Mark

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

githubuserSD avatar May 12 '18 22:05 githubuserSD

Me and @orainha have developed an ingest module for the Beta version of the app (see here).

Feel free to take any ideas from it, or even better -- contribute with the necessary changes.

ricardoapl avatar Sep 17 '20 15:09 ricardoapl