Skip to main content

FB Messenger App (Android) Media Files Share Tracking

Facebook Messenger (Android) App
Media Files Share Tracking

In past blog posts, I've stressed the importance of testing and validating information. This post is no different. It's imperative that as a digital forensic investigator, we test apps from the user's perspective and then analyze what happens to the data behind the scenes.

I recently had a case which featured a specific media file artifact located in the "fb_temp" folder of the Facebook Messenger app. At first glance, the assumption would be that the user must have sent this media to someone using the app. But we all know what happens when we assume.

Below is the testing I conducted and the information I found that can help you track whether files or media were actually shared in the app and when.

FACEBOOK MESSENGER TESTING METHODOLOGY

A video was located in the Facebook Messenger app’s fb_temp folder on an Android phone. Since “temp” denotes a temporary folder, it was necessary to test Facebook Messenger (FBM) on an Android device to ascertain what user actions create these files.

STEP 1
This first step tested whether a file was created and remained in the fb_temp folder if a video was recorded but not sent.

FBM was opened on an Android phone and signed into the Federal Public Defender Facebook account. A video recording was started on the device of a Star Wars poster. Once finished, the video was saved to the phone’s movies folder. The FBM video recording screen was then exited and never sent as a message.

This video test from FBM was completed on 3/19/2018 @ 1:35 pm (13:35).

STEP 2
The second step tested creating a video in FBM and sending it as a message.

FBM was opened on the same Android phone and signed into the same account as Step 1. A video recording was started on the device of a red Star Wars calendar. The video was then sent to a staff member’s Facebook account through FBM.  This was completed on 3/19/2017 @ 2:55 pm (14:55).

The video was not saved to the phone’s movies folder.

TESTING NOTE
During Step 2 testing, an attempt was made to send the previously made video in Step 1. FBM did not show that the previously unsent video existed. This indicates that if a user were to create a video or photo and not share it, all subsequent messages would not have access to send or share the video or photo. When a user creates a video and doesn’t share it, they will not be able to share or access that video any time in the future.

TESTING / VALIDATION FORENSIC ANALYSIS

The Android phone was then placed in Airplane Mode to disable all communications. Cellebrite’s UFED was used to perform a physical forensic image of the device. The forensic image was then analyzed using two separate tools to validate the data: Cellebrite’s Physical Analyzer and Magnet Forensics AXIOM.

VIDEO CREATION ANALYSIS
Both the video created but not shared and the video that was shared were found in FBM’s fb_temp folder. Each video file had the date/time it was created. There was no difference in the filename syntax or file location between the video that was shared and the video that was not shared.
Additionally, a second copy of Step 1’s video was found in the phones movies folder. This was expected since Step 1 included saving the video to the phone.


This testing demonstrates that the mere presence of a video or photo digital artifact found in FBM’s fb_temp folder is not an indication that the file was sent or shared.

FACEBOOK MESSENGER CONVERSATION DATABASE ANALYSIS
FBM also keeps a log of messages or conversations in a database. This digital artifact can be used to view past conversations including sending or receiving attachments. It also includes the date/time of each message.

The conversation on the test phone used to send the video from Step 2 was extracted and reviewed. It does indeed show that a video was sent during the FBM chat. It does not show the creation or other evidence of the video created in Step 1 since that video was never shared.



CONCLUSION

This testing demonstrates that to verify if a video or photo was shared using FBM, the conversation data must be extracted and analyzed.

Comments

  1. The user should log in Facebook on the system and should open the settings menu then from the bottom of the page the user should choose” switch to new Facebook” from there the user will be able to select and enable dark mode on desktop, the user should further connect with the Facebook technicians if more help and assistance is needed lines are open all the time the technical team can be asked for help as and when needed.
    Facebook Help UK

    ReplyDelete

Post a Comment