Summary: | The way netizens communicate with each other deeper with the advent of Instant Messaging
applications (IM apps). Thus, its flexibility and quick response on the IM apps has attracted the
attentions of cybercriminal operations on the apps such as identity theft and phishing. The forensic
investigation of instant messaging apps for the newest Windows 10 OS has been largely
uninvestigated. Previous research dealt with dead analysis of the IM apps which did not guaranty
accurate result for evidence. But, this research seeks to utilize the four stages of forensic
investigation evidence: identification, collection, analysing and reporting. Furthermore, the study
figured out data remnants from the top 1% Windows stores application software known as
Facebook Instant Messaging apps on Windows 10 OS client machine. The research have focused
on the volatile and nonvolatile artefacts with the aid of VM workstation version (VM) 9.0.0 build
812388 running Windows 10 (professional server pack1,64 bit, build 9600) while setting 2GB of
physical memory and 20GB of hard disk. The research was be able to detect the kinds of terrestrial
artefacts that are obtained after the use of Instant messaging services and software on the contemporary Windows 10 OS. The findings from this research will contribute to the forensic
community’s understanding of types of terrestrial artefacts (login details, Installations, friend list,
contacts, username, passwords, conversions etc.) which can be used on the establishment of
evidence against the suspect on the court of law by forensic examiner.