Communications UI – From/To and Facebook Accounts

Autopsy Development
1

Hi

I am currently developing a data source-level ingest module to extract the most significant artifacts produced by the usage of the Windows Store application Facebook Messenger (Beta).

However, I am having some trouble integrating with the Communications UI.

Environment:

Windows 10

Autopsy 4.14.0

Expected behavior:

Looking up the proprieties of any message within the Communications UI, I would expect to see something resembling the following screen capture:

discourse-00
discourse-00462×554 44.8 KB

Actual behavior:

Facebook account identifiers are phone numbers instead of account identifiers, and there is a duplicate propriety “ThreadID” with value “”.

discourse-02

Steps to reproduce the behavior:

  1. Create a CommunicationArtifactsHelper with account types Account.Type.FACEBOOK

  2. Create a TSK_MESSAGE artifact along any account instances and relationships by calling CommunicationArtifactsHelper.addMessage()

I have also tried to create the accounts, artifacts, and relationships (i.e. messages) separately but still had no success; in such cases the proprieties “From” and “To” show up empty.

Questions:

Am I following the correct procedures?

I so, is this behavior intended? If not, should I open a GitHub issue?

Thank you!

2

Can you compare what you’re doing with the code here and see if there’s any obvious differences?

3

Thanks apriestman but I have found no noticeable differences.

Since there are no built-in attribute types TSK_USER_ID_FROM and TSK_USER_ID_TO, I would assume that the only attributes to be considered for the “From” and “To” proprieties of any message at the Communications UI would be one of the following:

{TSK_PHONE_NUMBER_FROM, TSK_PHONE_NUMBER_TO}

{TSK_EMAIL_FROM, TSK_EMAIL_TO}

Which would explain why any message created through CommunicationArtifactsHelper.addMessage() has those attributes, i.e., TSK_PHONE_NUMBER_FROM and TSK_PHONE_NUMBER_TO.

I also planned on running the module you shared, just to make sure that what I am asking for is possible. However, I had no success in the search for any Facebook Messenger databases on my smartphone.

Meanwhile, I also noticed that the “Source File” propriety of any message seen through the Communications UI has value “Message”. When that same message is double-clicked, it displays an error saying “Failed to locate directory.”; this does not happen when seeing the message through the Result Content Viewer.

discourse-nosourcefile
discourse-nosourcefile462×572 50.5 KB

4

Hi

At this time, we use the attributes TSK_PHONE_NUMBER_TO/TSK_PHONE_NUMBER_FROM to specify the Sender/Receivers of any type of messages.

That’s why you see them as “From Phone number” & “To Phone Number” in the properties, instead of “From User Id” and “To User Id”

We have a story to change that in the future.

Let me look into the blank “ThreadID” property. I will get back to you on that.

5

Thanks raman

The blank “ThreadID” is not much of a problem to me given that there exists another property “Thread ID” with the correct value and the messages are grouped correctly.