Having trouble viewing this email? View it as a Web page. |

TECHNICAL-ADVISORY-2020-002

DISCORD CHAT APP ARTIFACTS

SUMMARY

DISCORD DIFFERENCES ACROSS MULTIPLE PLATFORMS

This technical advisory provides updated Digital/Multimedia Forensic insights into Discord, which is a popular cross-platform chat application for Android, iOS, Windows, Mac, and Linux. Chat applications can be valuable sources of digital evidence during a forensic investigation, providing information about what communications occurred, when, between which user accounts. Discord is used by an increasing number of organizations and communities for group chat and meeting new people. There are Discord servers dedicated to Fortnite, Minecraft, Roblox, and many other games. Some people use Discord for professional collaboration, study groups, book clubs, dance lessons, and other constructive activities. There are also Discord servers dedicated to dating.

TECHNICAL CHALLENGE

The location and format of Discord stored data varies across platforms, and some information is not currently extracted by digital forensic tool. It is important for digital forensic practitioners to realize that additional information can be extracted using specialized knowledge and tools.

DETAILS

Multiple investigations have involved Discord on various platforms, and DC3 has found useful digital evidence in the following places.

On Android, Discord stores its application files under the "/data/data/com.discord/" directory. Three subdirectories of special interest are "shared_prefs," "cache," and "files" which respectively contain user configuration information in the file called “com.discord_preferences.xml,” cached multimedia files, and Discord usage details such as chat messages. The format and parsing of the Message files is detailed in Technical Series Publication 2020-001. 

On iOS devices, Discord stores its cached files under in Applications in the "/Library/Caches/com.hammerandchisel.discord/fsCachedData/" directory which can include chat messages in JSON format. User configuration information is stored in "/Documents/mmkv/mmkv.default" and avatar images can be found in the "/Library/Caches/com.hackemist.SDImageCache/default/" directory. Similarly, on On MacOS X systems, Discord stores files under the "/Users/[USERNAME]/Library/Application Support/discord" directory in JSON files, and the default.mmkv file which contains user configuration details.

On Windows systems, Discord stores files under the "C:/Users/[USERNAME]/AppData/Roaming/discord" directory. Some files are stored in the "cache" subdirectories using the Chrome cache storage structure that can be parsed using forensic tools for Chrome browser cache. The configured user information can be found under the "Local_Storage/leveldb" subdirectory in a log file (e.g., "000003.log").

SYNOPSIS

Commonly used digital forensic tools may not parse and present all of the information that Discord stores in different locations and formats on Android, iOS, Mac and Windows. It is necessary to delve deeper into the files, folders and data structures to obtain the most valuable digital evidence. 

Contributors Acknowledgements

Technical Advisories are a five-minute read to raise awareness among investigators, forensic practitioners, attorneys, and judges about an emerging trend in Digital/Multimedia Forensics.

• Eric Robertson (DC3/TSD)
• DC3 Editorial Board (Curation, Review, & Publication)

For additional information and automated decryption capabilities please reach out to DC3 at hub@dc3.mil.

Relevant Forensic Artifacts

DC3 is building a crowdsourced catalog of forensic artifacts, created by practitioners for practitioners, to curate expertise across the digital forensic community, making it available as a user friendly, online knowledge management platform. In this context, a digital artifact is defined as a singular unit of interpretable data that can be extracted from a given data source.