search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.3k stars 586 forks source link

Create parser for Windows 10 facebook app #2231

Open bcarrier opened 8 years ago

bcarrier commented 8 years ago

The Facebook app on Windows 10 uses SQLIte databases to store user info. An Autopsy ingest module could parse those databases and create associated artifacts.

See http://computerforensicsblog.champlain.edu/2015/04/01/windows-10-facebook-forensics/

x5sh1 commented 7 years ago

Hi

I'd like to implement this project and I tried to find the SQlite file, but directory seem to be changed and those database files like Friends.sqlite are removed, I can't find them. Did I find a wrong director? Or Facebook changed the directory in different directory. This is the offical directory: C:\Users\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\DB Here is the directory I try to find files: C:\Users\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState and there is not " DB" directory

Best x5sh1

githubuserSD commented 6 years ago

@x5sh1 could you be able to find where does facebook app stores db files becuase i also have same problem, i don't have thos DB folder under localstate??

markmckinnon commented 6 years ago

Check this out and see if it helps get you started:

File Location: C:\Users\markm\AppData\Local\Packages\Facebook.Facebook_8xx8rvfyw5nnt\LocalState\AppData\Local\osmeta_store_2E46DF56-98EF-484C-9BFE-0430CFD7857B\messenger_contacts.v1\fbsyncstore.db

select display_name, first "First_Name", Last "Last_Name", username "User_Name", username_normalized "User_Name_Normalized", is_friend, has_messenger, DateTime(added_Time, 'unixepoch') "DTTM_Added", DateTime(messenger_install_time, 'unixepoch') "Messenger_Install_DTTM", profile_pic_url from people a, profile_pic_urls b where a.person_id = b.person_id;

select DateTime(last_contacts_sync_time, 'unixepoch') from app_state

mcoates1 commented 6 years ago

Has this been implemented yet? I am working on this for a Digital Forensics class project and would like to submit my solution.

-Marcus

markmckinnon commented 6 years ago

I have one written for Facebook people database as well as chat but have not published it yet. If you want to contact me about this we can compare what each has done.

Mark

githubuserSD commented 6 years ago

Oh yea, sorry i stopped working on facebook artifacts from 2 weeks but now i will be back to work on it. To be honest i didnt try yet your first solution but when i research on facebook I could find one database called like graphs and it has some facebook urls in it Could u find it out before ???

Sent from my iPhone

On 13 May 2018, at 00:43, Mark McKinnon notifications@github.com wrote:

I have one written for Facebook people database as well as chat but have not published it yet. If you want to contact me about this we can compare what each has done.

Mark

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

ricardoapl commented 3 years ago

Me and @orainha have developed an ingest module for the Beta version of the app (see here).

Feel free to take any ideas from it, or even better -- contribute with the necessary changes.