Instagram is a very popular social media application that allows its users to interact through uploaded photos, videos, and direct messages/chat threads. Used by 1/3 of mobile phone users in the world according to Pew Research Center, there is a potential for Instagram to be relevant in some digital forensic cases. The following are highlighted findings from the Windows 10 Desktop Store’s version of this app. Findings reveal that there is a substantial amount of relevant data for all users connected to this application. If the user account exists on another device, such as a mobile phone, the items will sync to this application upon launch. In this post we will review:
- Direct Messages & Threads
- Photos and videos that have been uploaded by the user
- Photos and videos that have been cached for the user
- Oma_log files
- When the last application session was closed
- How long the most recent session was open for
- The user account’s Instagram feed
- Followed accounts / friendship status
- Deleted and temporary items
APP PATH: Instagram Application Data Path: C:\Users\<user>\Appdata\Local\Packages\Facebook.InstagramBeta
Direct Messages & Threads
\LocalState\Library\Application Support\ DirectSQLDatabase\
Instagram unsurprisingly stores local messages within a database file for easy referencing. The name of the file will be a random string of numbers, which is the user’s account ID. Each user account on the Windows PC with direct messages will have their own messages & threads database file, as seen in figure 1. Instagram account ID numbers are easily discover-able on Google, allowing you to link usernames to the account messages.
Once inside the database file you will find tables for “inbox_metadata”, “messages”, “sqlite_sequence”, and “threads”.
• I suggest starting with the sqlite_sequence table because it provides an overview of how many total messages and threads exist on that user’s app instance (figure 2). Be cautious, I have found that numbers for the message count can be skewed. In a test of only 1 direct message thread including two user accounts, with one message sent and received by each account, the database states there are 9 messages present. It is possible the message count is factoring in other application events such as following new accounts, sending request, etc. Nevertheless, this table still allows you to quickly identify the accurate message thread count for the user.
• The messages table is the meat of the database. It includes plaintext sent/received messages, individual message IDs, thread IDs, timestamps of the messages, and message class names (figure 3). There is no direct reference to whether the user sent or received a particular message, but the message_id may be able to reveal that through direct contact with Instagram. Note, all timestamps are presented in this database with an Epoch time value. Instagram allows more than just typed messages to be sent through the direct message functionality. A user can also share another account’s posts and live videos. Instances of such are shown under the “class_name” column (figure 4).
• Threads will show you descriptive information about the message threads themselves. I have not been able to manipulate the message threads in ways that populated data in all columns of this table, however the few populated items are still valuable. Here you will find the name of the the thread, the last activity date in Epoch time, the thread ID, and the user account’s ID that viewed the thread (figure 5). You can match the thread_id values in this table with the “thread_id_published” values in the messages table, to see what thread a particular message was a part of. This is very useful since it is possible the user account has numerous out-of-order direct message threads.
Photo & Video Uploads
Instagram allows for users to upload images and videos from their Windows desktop device by taking control of a webcam. The directory structure overview for these items are in figure 6, below.
An oma JSON log file is created in this directory every time the application is launched. The creation time of this log file is the time the application was launched. You may be able to derive an application launch count from the amount of logs files present. When viewed with a text editor, you will find information related to the launch instance (figure 7). Items of interest include “time”, “app_id”, “app_ver”, “device_id”, “device_id”, “session_id”, os_type”, and “os_ver”.
• Time: There are two time values in this log. The first appears to be the time the log file was created, and the second was the time the application was actually launched (in Epoch time).
• App_id: The Instagram application’s ID value
• App_ver: The running version of the Instagram application
• Device_id: Unique ID to the Windows device using the application
• Session_id: A session ID string for that particular launch instance of Instagram
• Device_Type: Shows the Windows machine’s System Model Name
• OS_Type: Shows what OS the application is running on
• OS_Ver: Shows what version of the OS is running
Time Spent in Application
A JSON file with the ending name “AppEventsTimeSpent” contains when the last time the Instagram application was suspended and the seconds the user spent in the current/most recent session.
There are many .plist files within this directory, but the one we are interested in is the users-all-users<account_id>.plist. In figure 9 on the left you can see that this file contains a list of every account this user is currently following or has followed at one point. Each user account will be contained within a block-like data segment that begins with Little Endian hex values “21 03 22 03 23 03 24 03 25 03 26….” and ends with “DF 10 63”. There does not seem to be a cached limit of how long the account will store unfollowed accounts. If the Instagram account used for this application was previously used on another device, it will sync and pull all user follow/unfollow data with it.
Cached Images & Videos
Recently viewed images and videos are cached and stored locally on the device within these directories. In the image cache directory, you can get an easy insight into the pictures the user has recently viewed (figure 10). To view recently cached videos, go to the video cache directory, export a file, and give it a .mp4 file extension. You will then be able to watch the full exported video that the user had on their screen. Note, just because an image or video exists within one of the directories does not mean it was directly searched for. Although it can from an intentional search, images/videos for ads, from feed scrolling, or scrolling through Instagram’s search page can also populate in this directory. If it displayed on the user’s screen while within the application, there is a potential it is present here.
The “lastentries.<user_id>.coded” and “lastreel-response-<user_id>.coded” files can be loaded into a hex editor, where you will find data relating to the user’s Instagram feed (figure 11). The ‘feed’ can be thought of as the main page of Instagram where the user sees images/videos/stories from the users they follow. Between these two files you will find data relating to posts other people have made. You will also find reminiscences of post descriptions, tagged users, and tagged locations (figures 12 & 13).
In case you were curious about the many instances of URL addresses you will see within these two files, they can be copied out to a browser and will actually resolve the photo (Figure 14)!
Account Following Status
Unlike all other user account references, the data found within this directory will display the following status of the instagram accounts viewed by this user. In the example below, my test user account came across a user named “artcraftsy” and recently saw one of his posts. The NetworkingDiskCache file shows that although I saw one of his posts, my account is not actually following this account (figure 15).
Along with a recycle bin directory for all very recently deleted Instagram posts/images, many tmp files can be found with small changes that occurred between different launch sessions. This is a potential directory for a last resort push for deleted items related to the application.