Instagram Forensics -Windows App Store

instagram-3383597_960_720

Instagram is a very popular social media application that allows its users to interact through uploaded photos, videos, and direct messages/chat threads. Used by 1/3 of mobile phone users in the world according to Pew Research Center, there is a potential for Instagram to be relevant in some digital forensic cases. The following are highlighted findings from the Windows 10 Desktop Store’s version of this app. Findings reveal that there is a substantial amount of relevant data for all users connected to this application. If the user account exists on another device, such as a mobile phone, the items will sync to this application upon launch. In this post we will review:

  • Direct Messages & Threads
  • Photos and videos that have been uploaded by the user
  • Photos and videos that have been cached for the user
  • Oma_log files
  • When the last application session was closed
  • How long the most recent session was open for
  • The user account’s Instagram feed
  • Followed accounts / friendship status
  • Deleted and temporary items
APP PATH: Instagram Application Data Path: C:\Users\<user>\Appdata\Local\Packages\Facebook.InstagramBeta

 

Direct Messages & Threads

\LocalState\Library\Application Support\ DirectSQLDatabase\

Instagram unsurprisingly stores local messages within a database file for easy referencing. The name of the file will be a random string of numbers, which is the user’s account ID. Each user account on the Windows PC with direct messages will have their own messages & threads database file, as seen in figure 1. Instagram account ID numbers are easily discover-able on Google, allowing you to link usernames to the account messages.

two db files.PNG
Figure 1: Two Instagram accounts on the single application results in two message .db files.

Once inside the database file you will find tables for “inbox_metadata”, “messages”, “sqlite_sequence”, and “threads”.

• I suggest starting with the sqlite_sequence table because it provides an overview of how many total messages and threads exist on that user’s app instance (figure 2). Be cautious, I have found that numbers for the message count can be skewed. In a test of only 1 direct message thread including two user accounts, with one message sent and received by each account, the database states there are 9 messages present. It is possible the message count is factoring in other application events such as following new accounts, sending request, etc. Nevertheless, this table still allows you to quickly identify the accurate message thread count for the user.

• The messages table is the meat of the database. It includes plaintext sent/received messages, individual message IDs, thread IDs, timestamps of the messages, and message class names (figure 3). There is no direct reference to whether the user sent or received a particular message, but the message_id may be able to reveal that through direct contact with Instagram. Note, all timestamps are presented in this database with an Epoch time value. Instagram allows more than just typed messages to be sent through the direct message functionality. A user can also share another account’s posts and live videos. Instances of such are shown under the “class_name” column (figure 4).

 

threads andmsg list.PNG
Figure 2: Overview of thread and message count for accounts on this Windows application.

 

messages2.PNG
Figure 3: Messages table

 

message types.PNG
Figure 4: Class names reveal what type of message was sent.

• Threads will show you descriptive information about the message threads themselves. I have not been able to manipulate the message threads in ways that populated data in all columns of this table, however the few populated items are still valuable. Here you will find the name of the the thread, the last activity date in Epoch time, the thread ID, and the user account’s ID that viewed the thread (figure 5). You can match the thread_id values in this table with the “thread_id_published” values in the messages table, to see what thread a particular message was a part of. This is very useful since it is possible the user account has numerous out-of-order direct message threads.

Capture.PNG
Figure 5: Message threads

 

Photo & Video Uploads

\LocalState\Library\Application Support\InstagramOsmeta\

Instagram allows for users to upload images and videos from their Windows desktop device by taking control of a webcam.  The directory structure overview for these items are in figure 6, below.

drafts uploads and videos.PNG
Figure 6: Folder structure for uploaded items.

 

OMA Logs

\LocalState\osmeta_cache\oma_logs\

An oma JSON log file is created in this directory every time the application is launched. The creation time of this log file is the time the application was launched. You may be able to derive an application launch count from the amount of logs files present. When viewed with a text editor, you will find information related to the launch instance (figure 7). Items of interest include “time”, “app_id”, “app_ver”, “device_id”, “device_id”, “session_id”, os_type”, and “os_ver”.

Time: There are two time values in this log. The first appears to be the time the log file was created, and the second was the time the application was actually launched (in Epoch time).

• App_id: The Instagram application’s ID value

App_ver: The running version of the Instagram application

• Device_id: Unique ID to the Windows device using the application

• Session_id: A session ID string for that particular launch instance of Instagram

Device_Type: Shows the Windows machine’s System Model Name

 OS_Type: Shows what OS the application is running on

• OS_Ver: Shows what version of the OS is running

osmet_cache.PNG
Figure 7: An oma_log.json file example.

 

Time Spent in Application

\LocalState\Library\

A JSON file with the ending name “AppEventsTimeSpent” contains when the last time the Instagram application was suspended and the seconds the user spent in the current/most recent session.

appeventstimespent.PNG
Figure 8: Time spent and last application suspend time.

 

Followed Accounts 

\LocalState\osmeta\autocomplete
user block segment.PNG
Figure 9

 

There are many .plist files within this directory, but the one we are interested in is the users-all-users<account_id>.plist. In figure 9 on the left you can see that this file contains a list of every account this user is currently following or has followed at one point. Each user account will be contained within a block-like data segment that begins with Little Endian hex values “21 03 22 03 23 03 24 03 25 03 26….” and ends with “DF 10 63”. There does not seem to be a cached limit of how long the account will store unfollowed accounts. If the Instagram account used for this application was previously used on another device, it will sync and pull all user follow/unfollow data with it.

 

 

Cached Images & Videos

\LocalState\AppData\Local\osmeta\com.burbn.instagram.IGImagecache\
\LocalState\AppData\Local\osmeta\com.burbn.instagram.IGVideoCache\

Recently viewed images and videos are cached and stored locally on the device within these directories. In the image cache directory, you can get an easy insight into the pictures the user has recently viewed (figure 10). To view recently cached videos, go to the video cache directory, export a file, and give it a .mp4 file extension. You will then be able to watch the full exported video that the user had on their screen. Note, just because an image or video exists within one of the directories does not mean it was directly searched for. Although it can from an intentional search, images/videos for ads, from feed scrolling, or scrolling through Instagram’s search page can also populate in this directory. If it displayed on the user’s screen while within the application, there is a potential it is present here.

cached images.PNG
Figure 10: I recently searched for images related to jaguar F-types and this image was found int the cache.

Instagram Feed

\LocalState\AppData\Local\osmeta\Items\

The “lastentries.<user_id>.coded” and “lastreel-response-<user_id>.coded” files can be loaded into a hex editor, where you will find data relating to the user’s Instagram feed (figure 11). The ‘feed’ can be thought of as the main page of Instagram where the user sees images/videos/stories from the users they follow. Between these two files you will find data relating to posts other people have made. You will also find reminiscences of post descriptions, tagged users, and tagged locations (figures 12 & 13).

lastreel-response.PNG
Figure 11: A post by Will Smith appeared in the user’s Instagram feed.
usertag.PNG
Figure 12: The highlighted username was found tagged within a post on the feed.
tagged placedid.PNG
Figure 13: A tagged location can be found.

In case you were curious about the many instances of URL addresses you will see within these two files, they can be copied out to a browser and will actually resolve the photo (Figure 14)!

links works and find images.PNG
Figure 14: Links will resolve photos.

Account Following Status

\LocalState\AppData\Local\osmeta\com.burbn.instagram.IGNetworkingDisckCache\

Unlike all other user account references, the data found within this directory will display the following status of the instagram accounts viewed by this user. In the example below, my test user account came across a user named “artcraftsy” and recently saw one of his posts. The NetworkingDiskCache file shows that although I saw one of his posts, my account is not actually following this account (figure 15).

IGNetworkingDiskCache.PNG
Figure 15: Friendship_status is shown as “following : false”.

Recycle Bin

\TempState

Along with a recycle bin directory for all very recently deleted Instagram posts/images, many tmp files can be found with small changes that occurred between different launch sessions. This is a potential directory for a last resort push for deleted items related to the application.

recycle bin.PNG
Figure 16: Instagram Recycle bin and tmp file locations.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: