Facebook Messenger — Messenger Pay - macOS Forensic Artifacts

Overview

Messenger Pay is a peer-to-peer payment feature built into Facebook Messenger that allows users to send and request money directly through the messaging interface. The feature uses Facebook's payment infrastructure and is linked to a payment method (debit card, PayPal) stored in the user's Facebook account.

Payment transaction records are stored in the Lightspeed/MSYS database under two tables:

p2p_requests — payment requests sent or received (a request for money from another user)
p2p_transfers — completed payment transfers

These records may be stored in the main lightspeed-<fbid>.db file, in a standalone p2p_transfer.db file, or in both locations depending on the Messenger version. The macfor collector checks both sources.

Available Even When Messages Are Encrypted

Payment records are metadata about financial transactions, not message content. They may be stored in separate, unencrypted tables even when the main message tables are encrypted. Investigators encountering encrypted Lightspeed databases should still check for the presence of payment tables.

Forensic Significance

Messenger Pay records provide direct financial transaction evidence:

Identity attribution: Sender and recipient FBIDs identify the exact Facebook accounts involved in each transaction. FBIDs can be correlated with Facebook profile URLs (facebook.com/profile.php?id=<fbid>), contact records, and browser history.
Financial timeline: Transaction timestamps establish when money moved between parties. Combined with message timestamps, investigators can correlate payments with conversation context.
Transaction memos: The optional memo field contains user-provided notes (e.g., "rent," "drugs," "loan repayment") that may provide direct evidence of the purpose of a payment.
Thread linking: The thread_url field links each payment to the Messenger conversation thread in which it occurred, providing conversation context.
Status evidence: A completed transfer (status = completed) is stronger evidence than a pending request. An accepted request that was subsequently cancelled or declined is also recorded.

File Locations

Source	Path	Notes
Main Lightspeed database	`...Partitions/<id>/lightspeed-<fbid>.db`	Embedded payment tables
Standalone payment database	`...Partitions/<id>/p2p_transfer.db`	May exist alongside Lightspeed

The standalone p2p_transfer.db was confirmed in the Windows Messenger variant as a separate file named p2p_transfer.db with schema version p2p_payments_store.v2. The macOS Catalyst variant may follow the same pattern or embed payment tables within the main Lightspeed database.

Table Schemas

p2p_requests

Records payment requests — one user asking another to send money.

Column (expected)	Type	Description
`transfer_id`	TEXT	Unique identifier for the payment request
`sender_id`	TEXT	FBID of the user who sent the request (asking for money)
`recipient_id`	TEXT	FBID of the user receiving the request (asked to pay)
`amount`	REAL	Requested monetary amount
`currency`	TEXT	ISO 4217 currency code (e.g., `USD`, `EUR`, `GBP`)
`memo`	TEXT	User-provided note attached to the request
`status`	TEXT	Request status (`pending`, `completed`, `cancelled`, `declined`)
`timestamp`	INTEGER	Request creation time — Unix epoch milliseconds
`thread_url`	TEXT	Messenger conversation URL (e.g., `https://www.messenger.com/t/<fbid>`)

p2p_transfers

Records completed or attempted payment transfers.

Column (expected)	Type	Description
`transfer_id`	TEXT	Unique transaction identifier
`sender_id`	TEXT	FBID of the user who sent money
`recipient_id`	TEXT	FBID of the user who received money
`amount`	REAL	Transferred monetary amount
`currency`	TEXT	ISO 4217 currency code
`memo`	TEXT	User-provided note
`status`	TEXT	Transfer status (`completed`, `pending`, `failed`, `refunded`)
`timestamp`	INTEGER	Transfer timestamp — Unix epoch milliseconds
`thread_url`	TEXT	Messenger conversation URL

The p2p_requests and p2p_transfers schemas are largely identical. The primary distinction is semantic: requests are solicitations for money, transfers are actual money movements. A request that is fulfilled results in both a p2p_requests record (the solicitation) and a p2p_transfers record (the payment).

Timestamp Format

Payment timestamps use the same format as all Lightspeed/MSYS tables: Unix epoch milliseconds.

-- Convert payment timestamp to ISO 8601
SELECT datetime(timestamp / 1000, 'unixepoch') AS payment_utc
FROM p2p_transfers;

Key SQL Queries

All Payment Transfers

SELECT
    transfer_id,
    sender_id       AS sender_fbid,
    recipient_id    AS recipient_fbid,
    amount,
    currency,
    memo,
    status,
    datetime(timestamp / 1000, 'unixepoch') AS payment_utc,
    thread_url
FROM p2p_transfers
ORDER BY timestamp DESC;

All Payment Requests

SELECT
    transfer_id,
    sender_id       AS requester_fbid,
    recipient_id    AS target_fbid,
    amount,
    currency,
    memo,
    status,
    datetime(timestamp / 1000, 'unixepoch') AS requested_utc,
    thread_url
FROM p2p_requests
ORDER BY timestamp DESC;

Payments Involving a Specific FBID (Sent or Received)

SELECT
    'transfer'  AS record_type,
    transfer_id,
    sender_id,
    recipient_id,
    amount,
    currency,
    memo,
    status,
    datetime(timestamp / 1000, 'unixepoch') AS timestamp_utc
FROM p2p_transfers
WHERE sender_id    = '<target_fbid>'
   OR recipient_id = '<target_fbid>'

UNION ALL

SELECT
    'request'   AS record_type,
    transfer_id,
    sender_id,
    recipient_id,
    amount,
    currency,
    memo,
    status,
    datetime(timestamp / 1000, 'unixepoch') AS timestamp_utc
FROM p2p_requests
WHERE sender_id    = '<target_fbid>'
   OR recipient_id = '<target_fbid>'

ORDER BY timestamp_utc DESC;

Total Value Transferred by Currency

SELECT
    currency,
    SUM(amount)   AS total_transferred,
    COUNT(*)      AS transaction_count
FROM p2p_transfers
WHERE status = 'completed'
GROUP BY currency
ORDER BY total_transferred DESC;

Payments by Memo Keyword

-- Search for payments with specific memo text
SELECT
    sender_id,
    recipient_id,
    amount,
    currency,
    memo,
    datetime(timestamp / 1000, 'unixepoch') AS payment_utc
FROM p2p_transfers
WHERE lower(memo) LIKE '%rent%'
   OR lower(memo) LIKE '%loan%'
   OR lower(memo) LIKE '%owe%'
ORDER BY timestamp DESC;

Check p2p Tables Exist in Main Database

-- Run against the main lightspeed database to check for payment tables
SELECT name FROM sqlite_master
WHERE type = 'table'
  AND (name LIKE '%p2p%' OR name LIKE '%payment%' OR name LIKE '%transfer%')
ORDER BY name;

Check p2p_transfer.db Separately

-- If a standalone p2p_transfer.db exists, attach it and query:
ATTACH DATABASE 'p2p_transfer.db' AS payments;

SELECT
    transfer_id,
    sender_id,
    recipient_id,
    amount,
    currency,
    memo,
    status,
    datetime(timestamp / 1000, 'unixepoch') AS payment_utc
FROM payments.p2p_transfers
ORDER BY timestamp DESC;

macfor Output Format

The macfor collector emits fbmessenger_payments records for all payment transactions found in both the Lightspeed database and any standalone p2p_transfer.db file:

{
  "type": "transfer",
  "transfer_id": "txn_123456",
  "sender_fbid": "100098765432101",
  "recipient_fbid": "100012345678901",
  "amount": 25.00,
  "currency": "USD",
  "memo": "Lunch",
  "status": "completed",
  "timestamp": "2024-05-20T14:00:00Z",
  "thread_url": "https://www.messenger.com/t/100012345678901",
  "account_fbid": "100098765432101",
  "user": "jdoe",
  "source_file": "/Users/jdoe/Library/Containers/com.facebook.archon/..."
}

The type field distinguishes between "request" (from p2p_requests) and "transfer" (from p2p_transfers).

Payment collection can be skipped with the --option skip_payments=true flag if not relevant to the investigation.

Investigation Scenarios

Financial Crime and Money Laundering

Payment records establish a financial relationship between FBIDs with specific amounts and memos. For financial crime investigations, the combination of message timestamps, payment timestamps, and memo text can document the structure of payment arrangements. Facebook's payment infrastructure is subject to financial regulations and provides a legal process pathway to Meta/Facebook Payments, Inc. for additional transaction records beyond what is stored locally.

Fraud and Extortion

Payment requests with memos and the associated conversation thread URL provide direct evidence of extortion or fraud schemes. The thread_url field points to the specific Messenger conversation where the payment demand occurred, allowing direct correlation with message content.

Drug Trafficking and Contraband

Memos on payment transfers may explicitly reference contraband or use coded language. Even when message content is encrypted, the payment memo — stored as transaction metadata — may contain explicit references.

Identifying Unknown Contacts

Recipient or sender FBIDs in payment records can be resolved to Facebook profile URLs at facebook.com/profile.php?id=<fbid>. This enables identification of parties even when their name does not appear in the local contact database.