Discord Investigations

Written by Amber Schroader

August 20, 2020

Even if you do not game online you might be familiar with the Discord platform. This communications hub is used by over a quarter of a billion people worldwide to communicates to their friends via voice, video, or text. You can also join larger communities/servers to talk with other people with similar interests. Although Discord was designed for gaming many communities of people have adopted Discord as a means to share information. This mass adoption has opened up Discord as a good source for digital evidence.

Discord is available both on a desktop environment with any variety of operating system choices as well as on both iOS and Android mobile platforms. Each server has a variety of channels that can be joined based on specific topic areas or one can be made for the group that you create. Each individual can join up to 100 servers and you can adjust which of those servers you want notifications on with mentions of you, etc. Each of those servers can have 500,000 users so as you might guess this is a great hub for communications. Servers can be public or private depending on how they were set up. Typically, a public server focuses on a fan of a particular topic that is more common such as Minecraft. Private servers can be focused to know people in a group such as DFIR which has a Discord server.

Discord is free and you can do most of the functions without any issues, but there are options to pay that can add new capabilities to your profile. The big draw on a pay account is the improvement to video streaming which is more applicable to the gaming groups. Servers can also get boosts that get bonuses to all the members of the server.

So, why does all this matter in digital forensics? With Discord a primary hub of communication for Gen Z it is important to include such information in your investigation. However, investigating Discord can be tricky with the methods it authenticates.

Step 1. Get Consent

With all things cloud-based you need the consent of the user to be able to use their credentials to log in to their account.

Step 2. Stay on Network

The way the Discord tokens work is they are authenticated to an IP address. To ensure you do not need to also log in to the email of the person’s credentials you are using you need to make sure you do your collection while on the same IP address as the consenting individual.

Step 3. Input Credentials

Using the Cloud Import Wizard, you can import the credentials of the consenting individual to begin your collection.

There are a variety of filters you can use when you are bringing in the data from Discord. From date range to the areas you want to collect from. 

Details you can collect include:

  • Server Name
  • Channel Name
  • Direct Messages
  • Usernames
  • Avatars
  • Attachments
  • Messages
  • Date last modified
  • Calls
  • Friends Status
    • Accepted friend
    • Blacklisted user
    • Pending user
    • Waiting for user to accept the invitation

Once the data is collected it can be reviewed with indexing, OCR, and searches. Note there is a limit of 10,000 records per grid that can be collected. As a new piece of evidence in your investigation will be shocked on what valuable insights you can get on your suspect based on their Discord data.

Review the entire capture process with the following video tutorial from the Paraben YouTube channel at ParabenForensics

Forensic-Impact Articles

Investigating and Capturing Google Data

Investigating and Capturing Google Data

There are so few people on the planet now that don’t have something to do with Google. With parents selecting Gmail accounts for their kids prior to being born to the proliferation of Google in the classroom the searching giant is everywhere. With this level of...

What is Android ADB with smartphone forensics?

What is Android ADB with smartphone forensics?

There is a lot of trust put into your digital forensic tools when it comes to processing data. Many times, the “magic” of the tool remains someone unknown to the end-user. Each company claims to have a special means to capture the data that is seen in the acquisition....

Forensically Imaging Bitlocker

Forensically Imaging Bitlocker

Guest Blogger, Michael Zinn with Micro Systems Management BitLocker is Microsoft’s Full Volume Encryption (FVE) feature in Windows. BitLocker can be used to encrypt operating system volumes, non-Operating System fixed drive volumes, and removable drive volumes.[1]...