Facebook Messenger Desktop - macOS Forensic Artifacts

Overview

Application Discontinued — December 15, 2025

Meta pulled Facebook Messenger Desktop from the Mac App Store on December 15, 2025. The app can no longer be installed, but residual data persists on millions of Macs in the sandboxed container at ~/Library/Containers/com.facebook.archon/. For investigations covering the 2020–2025 timeframe, these artifacts remain forensically significant.

Facebook Messenger Desktop was a Mac Catalyst application (bundle ID com.facebook.archon) available from approximately 2020 through December 2025. The app is a direct port of the iOS Messenger client to macOS using Apple's Catalyst framework. It stores all conversation data in Facebook's Lightspeed/MSYS SQLite database — a cross-platform C library that uses SQLite as the universal data management layer, with hundreds of tables covering messages, threads, contacts, calls, payments, and application activity.

Two critical facts define the forensic posture of this artifact:

Encryption uncertainty. Meta rolled out default end-to-end encryption for all personal Messenger chats on December 6, 2023. Post-E2EE databases are likely encrypted at the SQLite page level. Pre-2023 databases were likely stored as plaintext SQLite. The collector determines encryption status at runtime by checking the SQLite header magic bytes. If the database is encrypted, full message parsing is not possible; the raw file is collected for offline analysis and metadata is extracted from unencrypted supporting files.

Server-primary cache model. Unlike WhatsApp (which stores complete message history locally), Messenger operates on a server-primary model. The local database is a sync cache containing only recently viewed messages. Older conversations exist only on Meta's servers. The local cache is still forensically valuable as evidence of what the user recently accessed, but investigators must not assume they have a complete message history.

File Locations

Artifact	Path	Format	Notes
Primary container	`~/Library/Containers/com.facebook.archon/`	Directory	Main sandbox container
Lightspeed database	`~/Library/Containers/com.facebook.archon/Data/Library/Application Support/Messenger/Partitions/<id>/lightspeed-<fbid>.db`	SQLite	Primary forensic artifact
Database WAL	`...lightspeed-<fbid>.db-wal`	SQLite WAL	Always collect alongside database
Database SHM	`...lightspeed-<fbid>.db-shm`	SQLite SHM	Shared memory file
Preferences	`~/Library/Containers/com.facebook.archon/Data/Library/Preferences/com.facebook.archon.plist`	Binary plist	Account metadata
Preferences (residual)	`~/Library/Preferences/com.facebook.archon.plist`	Binary plist	Survives container deletion
Cookies	`~/Library/Containers/com.facebook.archon/Data/Library/Cookies/Cookies.binarycookies`	Binary cookies	Authentication cookies
Media cache (container)	`~/Library/Containers/com.facebook.archon/Data/Library/Caches/com.facebook.archon/`	Files	Cached images, thumbnails
Media cache (user)	`~/Library/Caches/com.facebook.archon/`	Files	Residual — survives container deletion
Saved application state	`~/Library/Containers/com.facebook.archon/Data/Library/Saved Application State/com.facebook.archon.savedState/`	Binary	Window and UI state
Container metadata	`~/Library/Containers/com.facebook.archon/Container.plist`	Binary plist	Sandbox entitlements

Developer ID Variant

A developer ID variant exists under a separate bundle ID. If the standard container is absent, check:

~/Library/Containers/com.facebook.archon.developerID/

Residual Artifacts After App Removal

The Mac App Store uninstaller removes the application bundle but does not automatically delete the sandbox container or user-domain caches. These paths may persist long after the app was removed from the App Store or uninstalled by the user:

~/Library/Caches/com.facebook.archon/ — residual media cache
~/Library/Preferences/com.facebook.archon.plist — residual preferences
~/Library/Caches/14c12d71.com.facebook.archon/ — auxiliary WebKit/system cache

Facebook User ID (FBID) Attribution

The Facebook User ID (FBID) is a large integer (e.g., 100012345678901) that serves as the primary account identifier throughout all Messenger artifacts.

Location	Format	Example
Database filename	`lightspeed-<fbid>.db`	`lightspeed-100098765432101.db`
Thread keys	`fbid_from_thread_key` field	`100012345678901`
Message sender/receiver	Numeric FBID fields	`100012345678901`
Contact records	FBID per contact	`100012345678901`
Payment records	Requester and recipient FBID	`100012345678901`
Preferences plist	Logged-in user state

FBIDs can be correlated with Facebook.com profile URLs at facebook.com/profile.php?id=<fbid>, with WhatsApp via the shared group.com.facebook.family container (Meta family apps), and with Instagram user mappings.

Encryption Detection

The collector checks whether the Lightspeed database is plaintext or encrypted by reading the first 16 bytes of the file:

Plaintext SQLite:  53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00
                   "SQLite format 3\000"

Encrypted:         <random bytes — no recognisable header>

This detection is performed before any SQL operation. If the header is not the standard SQLite magic string, the database is treated as encrypted and the collector falls back to raw file collection.

To manually check encryption status:

# Read the first 15 bytes and print as ASCII
head -c 15 lightspeed-100098765432101.db

A plaintext database prints SQLite format 3. An encrypted database produces unreadable output.

E2EE Timeline

Date	Event
2016	"Secret Conversations" feature introduced (opt-in E2EE)
October 2023	Testing of default E2EE begun for some users
December 6, 2023	Default E2EE rolled out globally for all personal 1:1 chats and calls
November 2025	Key Transparency verification launched
December 15, 2025	Desktop app discontinued

Databases from installations active before December 2023 may be plaintext. Databases from post-2023 installations are likely encrypted. The transition is not a hard cutoff — the rollout was gradual, and a database that was plaintext before December 2023 may or may not have been re-encrypted on update.

Key Artifacts

Lightspeed Database (`lightspeed-<fbid>.db`)

The primary forensic artifact. Contains messages, conversation threads, contacts, calls, payments, search history, and application activity. See Lightspeed Database for schema documentation and SQL queries.

The database name encodes the logged-in user's FBID directly, enabling account attribution without opening the database.

Preferences Plist (`com.facebook.archon.plist`)

Binary plist containing application settings, logged-in account state, and potentially the last-used FBID. Remains accessible even if the database is encrypted. Useful for confirming which account was active on a given machine.

Authentication Cookies (`Cookies.binarycookies`)

Apple binary cookies format containing session cookies for facebook.com and messenger.com. May include long-lived session tokens that can be used for legal process identification. These cookies persist after app discontinuation.

Media Cache

The cache directories contain cached profile pictures, image thumbnails, video thumbnails, sticker packs, and GIF previews. Files are often stored with hash-based names and no extension. MIME type identification from magic bytes is required. The cache may survive container deletion.

Application Architecture History

Period	Architecture	Notes
Pre-2020	No native Mac app	Users relied on messenger.com or third-party web wrappers
2020–2022	Electron + MSYS	Full MSYS sync database; data in Application Support
2022–2025	Mac Catalyst (UIKit)	Ported from iOS; data in Containers/com.facebook.archon
December 15, 2025	Discontinued	Redirects to web; no standalone desktop app

macOS Version Support

macOS Version	Messenger Availability	Notes
10.15 Catalina	Available	First Mac Catalyst support
11 Big Sur	Available	Stable Catalyst support
12 Monterey	Available
13 Ventura	Available	E2EE default rollout (December 2023)
14 Sonoma	Available
15 Sequoia	Available until December 2025	Last supported macOS version
16 and later	Not available	Residual data only

Forensic Analysis Notes

Encryption status drives analysis strategy. The first question for any Messenger artifact is whether the database is plaintext or encrypted. If encrypted, focus on: the preferences plist for account identification, the media cache for visual evidence, TCC database entries for permission grants, and KnowledgeC for usage patterns.

Cache-only message history. The presence of a conversation thread in the database does not mean all messages are available. The local cache reflects what was visible to the user at the time of last sync. Threads with high unread counts may have very few locally cached messages. Complete message history requires legal process to Meta.

Search tokens are unaffected by message encryption. The search_tokens table records names and FBIDs of users the account owner searched for. This table may be stored separately from the main message data or in an unencrypted table within the same database. It provides evidence of deliberate searches for specific people regardless of whether messages are encrypted.

Payment records persist independently. Messenger Pay transaction records (p2p_requests and p2p_transfers) may be stored in a standalone p2p_transfer.db file or within the main Lightspeed database. These tables contain financial transaction evidence — amounts, FBIDs, memos, timestamps — and may remain accessible even if the main message database is encrypted. See Messenger Pay for details.

Vanish mode traces. Messages sent in Vanish mode disappear after the recipient leaves the chat. However, forensic traces may persist in: the SQLite WAL file before the delete commits, SQLite free pages after deletion, FSEvents records showing database writes, KnowledgeC entries showing the app was in focus during the conversation, and Notification Center database entries.

TCC permissions persist after discontinuation. The TCC database retains permission grants for com.facebook.archon even after the app is removed. Camera, microphone, contacts, and photos permissions provide evidence of app capabilities and approximate usage periods.

Correlation Opportunities

Artifact	Correlates With
Messenger FBID	Safari/Chrome history (FBID in Facebook URLs), browser cookies
Message timestamps	KnowledgeC app usage (`/app/inFocus` for `com.facebook.archon`)
Contact FBIDs	Other Meta apps via `group.com.facebook.family` group container
Call timestamps	FaceTime call history (alibi comparison), network connection logs
Media cache files	Quick Look thumbnail database (if user previewed cached media)
Notification history	Notification Center database (`com.facebook.archon` entries)
TCC permissions	Camera/microphone grants for voice and video calls
Network activity	WiFi known networks correlating with message sync times

Comparison with Other Messaging Apps

Feature	FB Messenger	WhatsApp	Signal	Telegram
macOS app status	Discontinued Dec 2025	Active	Active	Active
Local DB format	Lightspeed/MSYS SQLite	Core Data SQLite	SQLCipher SQLite	TDLib binary (TDF$)
DB encryption	Likely encrypted (post-2023)	Plaintext	SQLCipher (key in config.json)	Custom binary
Complete local history	No (cache only)	Yes	Yes	Partial (cloud-primary)
Forensic value	Medium-Low	Very High	Medium	Medium
Full Disk Access required	No	No	No	No

Tool Support

Tool	Support Level
macfor	Adaptive: full parse if unencrypted; raw collection + metadata if encrypted
AXIOM	Limited Facebook Messenger Desktop support
Cellebrite	Limited support
DB Browser for SQLite	Manual analysis when database is plaintext
sqlite3 CLI	Direct query access when database is plaintext

macfor Collection

This artifact is collected by the messaging.fbmessenger plugin in the macfor-pro module.

macfor-pro collect --plugin messaging.fbmessenger --output ./evidence.zip

Collection Options

Option	Default	Description
`skip_messages`	false	Skip message parsing (even if database is unencrypted)
`skip_contacts`	false	Skip contact extraction
`skip_payments`	false	Skip payment transaction extraction
`skip_calls`	false	Skip call history extraction
`skip_searches`	false	Skip search token extraction
`skip_media`	false	Skip media cache enumeration
`include_media_files`	false	Copy actual media cache files to container
`include_raw`	false	Collect raw database files (always collected if encrypted)
`metadata_only`	false	Omit message body text from output records

Adaptive Collection Behavior

The plugin detects encryption at runtime and adjusts its behavior:

Unencrypted database: Full parsing of messages, threads, contacts, calls, payment records, search tokens, and activity log. Records emitted as fbmessenger_messages, fbmessenger_threads, fbmessenger_contacts, fbmessenger_calls, fbmessenger_payments, fbmessenger_searches, and fbmessenger_activity.

Encrypted database: Raw database files (lightspeed-<fbid>.db plus WAL and SHM companions) collected as fbmessenger_raw. Account record emitted as fbmessenger_accounts with database_encrypted: true. Metadata, preferences, cookies, and media cache collected regardless.

Account Record Output

An fbmessenger_accounts record is emitted for every discovered database, regardless of encryption status:

{
  "fbid": "100098765432101",
  "database_path": "/Users/jdoe/Library/Containers/com.facebook.archon/Data/Library/Application Support/Messenger/Partitions/default/lightspeed-100098765432101.db",
  "database_encrypted": false,
  "database_size": 52428800,
  "container_path": "/Users/jdoe/Library/Containers/com.facebook.archon",
  "user": "jdoe"
}