How Important are Facebook Artifacts?
In March 2013, Facebook reportedly had just over 1 billion users worldwide. Founded in February 2004, it can be considered one of the grandfathers of social networking. Nearly ten years later and even with hundreds of other social networking sites out there, Facebook is still a very popular social medium. With increased popularity comes the potential that Facebook will be used in a crime or at least as a secondary source of evidence providing information about the crime.As a social network, the likelihood of a suspect using Facebook as a communications medium to discuss an incident can be quite high. This whitepaper discusses the common Facebook artifacts that can be potential sources of vital evidence key to an investigation.
After reading this whitepaper you will be able to:
• Identify the common artifacts left behind when forensically examining Facebook activity
• Use digital forensics software to analyze and recover Facebook artifacts such as Chat, Messages,
Wall Posts/Comments, Pictures, and URLs
Generally there are six specific categories of artifacts that can be individually identified when examining a computer’s hard disk:
1. Facebook Chat
This artifact is most commonly found in memory as JavaScript Object Notation (JSON) text in a running computer and/or in the pagefile.sys & hiberfil.sys file(s).
2. Facebook Messages
Facebook Chat and Messages are now the same artifact, but in older versions of Facebook these were two different artifacts. This artifact is most commonly found in memory of a running computer and/or in the pagefile.sys and hiberfil.sys file(s).
3. Facebook Wall Post/Status Update/Comments
HTML that is carved from temporary internet files/web cache and memory.
Magnet Forensics - How To Uncover The Covered Tracks - 3
4. Facebook Webpage Fragment
A fragment of HTML that is carved from temporary internet files/web cache and memory.
5. Facebook Pictures
Facebook pictures have a specific filename pattern and are found in temporary internet files/web cache. The filename contains three sets of numbers like the following:
‘1221785571_1221785571_10150672801465915_n.jpg’
The second set of numbers can indicate the Facebook user ID the photo belongs to and it can be queried through
Facebook’s ‘graph’ API here: https://developers.facebook.com/tools/explorer
6. Facebook URLs
A URL in any web related (browser) artifact that references Facebook URLs. These artifacts commonly reference other
Facebook users or specific Facebook activity.
“https://www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.448027.507140714.552175374.1221785571&type=1& theater”
201526933901245715 is the photo ID
10150672801465915 is the album ID
1221785571 is the user ID
Viewed photos will appear in the cache file with the name:
‘1221785571_1221785571_10150672801465915_n.jpg’
Viewing messages for profile currently being used:
http://www.facebook.com/messages/joey.flowes
Now that we’ve discussed the kinds of artifacts you are likely to encounter when examining evidence looking for Facebook activity or generally searching for any Facebook related activity, let’s look at how you can recover them.
Facebook can be an indispensable online resource when recovering forensic artifacts to use as digital evidence. It can provide a glimpse into an individual’s life, offer geographical information to indicate where a person was on a specific date, and can reveal the identities of close friends and family. With Facebook applications available on most mobile devices, further location data is available with GPS, making these forensic artifacts even more valuable to the investigator.
Recovering 6 Types of Facebook Forensic Artifacts
In this
whitepaper, we’ll go over the 6 most common categories of forensic artifacts that are left behind by a person’s Facebook activity. We’ll also demonstrate how our digital forensics software, IEF, can be used to analyze and recover forensic artifacts from
the
following categories:
- Facebook Chat
- Facebook Messages
- Facebook Wall Posts/Comments
- Facebook Webpage Fragment
- Facebook Pictures
- Facebook URLs
Facebook artifacts can be one of
those artifacts that may not seem to apply to your specific case, but suddenly it gets thrust into the forefront of your investigation because of
a conversation, wall post,
association or other link made solely through the user Facebook account. Like general Internet
history/activity, it’s one of those categories that you really can’t afford to not review.
Internet Evidence Finder (IEF) includes support for Facebook under the social media artifact category.
Finding & reviewing these types of artifacts are extremely simple when using Internet Evidence Finder.
There are four search types that you can use in Internet Evidence Finder when looking for Facebook
artifacts:
1.
Full Search
This is
the
default search type when using IEF to analyze NTFS, FATx, HFS+ & EXTx. This search
type allows IEF to parse the file system of each volume and identify all the various objects (files,
folders & unallocated space) to search them all. On NTFS partition, it also individually identifies file system objects such as the $MFT & $Logfile for targeted searching.
2.
Quick Search
This search type causes IEF to search specific file system objects and common files and folder locations that normally contain Internet-related artifacts. For example this type of search would target
the default locations for supported browser histories, but would not check every single file/folder.
3.
Sector Search
This is
the
default search type when examining a drive/image that contains an unknown file system. This allows IEF to search each sector for known artifacts even if the file system itself cannot be read/interpreted.
4. Custom Search
The custom search type allows the user to specify which areas of the volume to search by
selecting/deselecting the various options.
When looking for Facebook artifacts, using IEF with the “Full search” type would be the recommended
option since it would look everywhere (including unallocated space for deleted Facebook artifacts). As long as the browser history was not moved to a non-standard location, you could also use the “Quick search” option. The “Custom search” option would also work
as long as
you chose to search all files or common areas/folder locations. Once IEF is
completed with the artifact search, Facebook artifacts are individually identified and categorized separately from common web browsing artifacts.
You can then review each Facebook artifact category separately by clicking on the respective artifact subcategory and viewing the details in the table view.
Each found artifact will have a file (if
the
artifact was found in a specific file)
or physical offset (if the
artifact was found in
unallocated or when using the sector search option) displayed in
the
lower details
pane so you can find the same artifact by using other 3rd party tools for validation and additional research.
As always, if you have any comments, suggestions or
questions,
http://www.magnetforensics.com/recovering-facebook-artifacts/
0 comments:
Posting Komentar