W10-FaceMessenger is a forensic analysis tool designed to extract the most significant artifacts produced by the usage of the Microsoft Store application Messenger (Beta) by Facebook Inc.
This tool is currently capable of extracting the following content:
- Contacts
- Messages
- Cached images
- Deleted database records
Clone this repository into your local machine and run pip install -r requirements.txt.
As an alternative, you can use one of the self-contained executables we provide (see Releases).
For the time being, you must run Microsoft Windows.
If you choose to run from source, you will need Python 3.
There's no need to install Python or any other software if you opt for the provided binary releases.
W10-FaceMessenger must point to a Windows user profile directory such as C:\Users\ricardoapl.
Running python.exe .\w10-facemessenger\main.py --help should yield the following help message:
usage: main.py [-h] --input INPUT [--output OUTPUT] [--format {html,csv}] [--delimiter DELIMITER] [--depth {fast,complete}]
Windows 10 Messenger (Beta) forensic analysis tool
optional arguments:
-h, --help show this help message and exit
--output OUTPUT set output directory for report (defaults to Desktop)
--format {html,csv} choose report format (defaults to "html")
--delimiter DELIMITER
specify csv report delimiter (defaults to ",")
--depth {fast,complete}
fast: no images, no internet required; complete: with images, internet required, slower
required arguments:
--input INPUT set path to user directory
The self-contained executables we provide are currently being flagged as malicious by some anti-malware solutions. In case of doubt, feel free to bundle the binaries yourself with PyInstaller and the provided pyinstaller.spec file.
Please use the issue tracker to ask for help, request a new feature or report any bugs.
Future work includes decoupling the ingest and report parts into separate tools, similar to what happens with other UNIX-like software.
Other planned changes:
- Add JSON and SQLite output formats
- Remove CSV and HTML output formats
- Parse other content type from cache (videos, text files, etc)
- Parse SQLite WAL files
- Parse RoamingState
- Add support for non-beta version of Messenger
- Add support for GNU/Linux and macOS
Have a look at the contributing guidelines before submitting any pull request.
This software was originally developed by Osvaldo Rainha (@orainha) and Ricardo Lopes (@ricardoapl) under the guidance of Miguel Frade (@mfrade) and Patrício Domingues (@PatricioDomingues).
W10-FaceMessenger is available under the terms of the MIT License.
Furthermore, it makes use of: