W10-FaceMessenger @ Autopsy is an Autopsy data source ingest module that wraps around the stand-alone application W10-FaceMessenger to parse and create the following artifacts associated with the use of Facebook's Messenger (Beta) on Windows 10:
- Contacts
- Messages
- Calls
- Cached images
- Deleted database records
If you have never installed a third-party module in Autopsy, have a look at the official Autopsy User Documentation.
If you choose to use one of the existing releases, all you need to do is extract the contents of the ZIP file onto python_modules.
Otherwise, you must:
- Create a folder named
w10-facemessengerwithinpython_modules - Place
ingest_module.pyinto this new folder - Place the W10-FaceMessenger self-contained executable into this same folder
For the time being, you must run Microsoft Windows.
You also need a self-contained executable of W10-FaceMessenger to run this module (see here).
W10-FaceMessenger @ Autopsy expects a data source containing at least one Windows user profile directory such as C:\Users\ricardoapl.
If you would like to know more about running ingest modules in Autopsy, checkout the official Autopsy User Documentation.
Please read through the following list of known issues before asking for help.
- Part of our module is currently being flagged as malicious by some anti-malware solutions (see here)
- Consecutive runs of the module in the same case are currently not being handled and will most likely return an error
Please use the issue tracker to ask for help, request a new feature or report any bugs.
- Distinguish between successful and lost calls
- Allow persistence of multimedia content through module options
Have a look at the contributing guidelines before submitting any pull request.
This software was originally developed by Osvaldo Rainha (@orainha) and Ricardo Lopes (@ricardoapl) under the guidance of Miguel Frade (@mfrade) and Patrício Domingues (@PatricioDomingues).
W10-FaceMessenger @ Autopsy is available under the terms of the MIT License.