The Facebook Android app is one of the most widely used social networking applications. It stores its information in the /data/data folder, within the com.facebook.katana package. The following details provide an overview of the kind of information that can be gathered across various files:

• Facebook contacts: Information about the user's Facebook contacts can be retrieved by analyzing the contacts_db2 database, which is present under the following path:
  • Path: /data/data/com.facebook.katana/databases/contacts_db2.
  • The contacts_db2 database (SQLite file) contains a table named contacts, which contains most of the user's information, such as their first name, last name, display name, and URL for display picture.

• Facebook notifications: Information about a user's notifications can be gathered by analyzing the notification_db database, which is present under the following path:
  • Path: /data/data/com.facebook.katana/databases/notifications_db.
  • The gql_notifications table present under the preceding path holds the user's information. The seen_state column confirms whether a notification has been seen or not. The updated column points to the time when the notification was updated. The gql_payload column contains the notification and the sender information.
• Facebook messages: A Facebook message conversation may be of crucial importance in several cases and can be viewed by analyzing the threads_db2 database:
  • Path: /data/data/com.facebook.katana/databases/threads_db2
• Videos from newsfeed: The /video-cache folder contains videos that have been downloaded from the user's newsfeed. Note that these are not the videos posted by the user, but rather they are the videos that appeared on their newsfeed:
  • Path: /data/data/com.facebook.katana/files/video-cache
• Images from newsfeed: The /images folder contains various images that appear on the user's profile, such as the ones from their newsfeed and contact profile pictures. Several directories are present within this folder and images may be stored in formats other than .jpg, such as .cnt:
• Path: /data/data/com.facebook.katana/cache/images
• Newsfeed data: The newfeed_db database contains data shown to the user on their newsfeed. As shown in the following screenshot, analyzing this database would provide valuable information, such as when a particular story was loaded by the device (the fetched_at column), if a particular story was seen by the user (the seen_state column), and where the corresponding files of a story are stored on the device (the cache_file_path column):
• Path: /data/data/com.facebook.katana/databases/newsfeed_db:

In the preceding screenshot, fetched_at specifies the date and time when this information is fetched. Notice that the app uses Linux epoch time, also known as Unix time or Posix time, to store this information. This format is often used by multiple apps and, hence, is worth taking a look at. Linux epoch time is stored as the number of seconds (or milliseconds) since midnight on January 1, 1970. There are several online sites, such as https://www.epochconverter.com/, that can readily convert the Linux epoch time into a normal format. For example, the following screenshot shows Linux epoch time 1,577,881,839 converted into a normal format:

Now that we have performed an analysis of the Facebook app, let's perform a similar analysis with our next application, which is WhatsApp.