Академический Документы
Профессиональный Документы
Культура Документы
In March 2013, Facebook reportedly had just over 1 billion users worldwide.
Founded in February 2004, it can be considered one of the grandfathers of
social networking. Nearly ten years later and even with hundreds of other social
networking sites out there, Facebook is still a very popular social medium.
With increased popularity comes the potential that Facebook will be used in
a crime or at least as a secondary source of evidence providing information
about the crime. As a social network, the likelihood of a suspect using
Facebook as a communications medium to discuss an incident can be quite
high. This whitepaper discusses the common Facebook artifacts that can
be potential sources of vital evidence key to an investigation.
As an example, in a theft/stolen property case Facebook was used to get a complete family history and an idea of
how the person lived by looking at photos and connecting family members together. Facebook provided the links that
allowed for looking up residence information based on connections and family ties. It also provided phone numbers
that were listed in comments and later tied to fraudulent ads on Craigslist.
Facebook can also provide a wealth of information as a forensics artifact when conducting host-based forensics. In the past
few years there have been several high-profile cases that involved Facebook artifacts even though the crime was not
associated with traditional ‘computer-related’ offenses. For example, here is a recent case where Facebook messages
were found on a victim’s computer (and later on the suspect’s computer) and used to identify a suspect in a murder case.
“Riverside County sheriff’s Investigator Tony Pelato, a computer forensics expert, said he found Facebook chat
messages in Guzman’s computer between Santhiago and Leal, inviting Leal to buy some liquor and meet her at a
park near Roanoke Street where Leal was killed. The chat messages were written minutes before the shooting.”
Read more
Or this one:
“According to state police, detectives interviewed a young man named Bryan Butterfield a day after Cable was
reported missing. Butterfield told police that someone had created a phony Facebook account in his name, and police
traced it to Dube’s parents’ house in Orono.
Cable was frequently contacted by the fake Butterfield and agreed to meet with him at the end of her road to get
some marijuana the night she went missing, according to the state police affidavit.
Social media’s role in Nichole’s disappearance and death was a wakeup call for students, many of whom have
become paranoid about online contacts, said Pattershall, Cable’s friend.”
Read more
1. Facebook Chat
This artifact is most commonly found in memory as JavaScript Object Notation (JSON) text in a running
computer and/or in the pagefile.sys & hiberfil.sys file(s).
2. Facebook Messages
Facebook Chat and Messages are now the same artifact, but in older versions of Facebook these were two
different artifacts. This artifact is most commonly found in memory of a running computer and/or in the
pagefile.sys and hiberfil.sys file(s).
HTML that is carved from temporary internet files/web cache and memory.
A fragment of HTML that is carved from temporary internet files/web cache and memory.
5. Facebook Pictures
Facebook pictures have a specific filename pattern and are found in temporary internet files/web cache. The
filename contains three sets of numbers like the following:
‘1221785571_1221785571_10150672801465915_n.jpg’
The second set of numbers can indicate the Facebook user ID the photo belongs to and it can be queried
through Facebook’s ‘graph’ API here: https://developers.facebook.com/tools/explorer
6. Facebook URLs
A URL in any web related (browser) artifact that references Facebook URLs. These artifacts commonly
reference other Facebook users or specific Facebook activity.
“https://www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.448027.507140714.552175374.1221785571&type=1& theater”
Viewed photos will appear in the cache file with the name:
‘1221785571_1221785571_10150672801465915_n.jpg’
Now that we’ve discussed the kinds of artifacts you are likely to encounter when examining evidence looking for
Facebook activity or generally searching for any Facebook related activity, let’s look at how you can recover them.
There are tools available to assist in the recovery of Facebook artifacts, including Magnet Forensics’ Internet
Evidence Finder (IEF). IEF includes support for Facebook under the social media artifact category or the Android/iOS
artifact categories for mobile images.
For mobile devices both Android and iOS Facebook artifacts are supported and can provide investigators a wealth of information
including the typical artifacts listed above as well as potential GPS coordinates from where a message was sent.
Finding & reviewing these types of artifacts is extremely simple when using IEF. There are four search types that you
can use when looking for Facebook artifacts:
Full search is also available for any Android or iOS physical image acquired by the investigator.
2. Quick Search
This search type causes IEF to search specific file system objects and common files and folder locations that
normally contain Internet-related artifacts. For example, this type of search would target the default locations
for supported browser histories, but would not check every single file/folder.
3. Sector Search
This is the default search type when examining a drive/image that contains an unknown file system. This allows
IEF to search each sector for known artifacts even if the file system itself cannot be read or interpreted.
The custom search type allows the user to specify which areas of the volume to search by
selecting/deselecting the various options.
When looking for Facebook artifacts using IEF, the recommended search option is the “Full Search” since it will look
everywhere—including unallocated space for deleted Facebook artifacts. As long as the browser history was not moved to
a non-standard location, you can also use the “Quick search” option. The “Custom search” option would also work as long
as you chose to search all files or common areas/folder locations. Once IEF has completed the artifact search, Facebook
artifacts are individually identified and categorized separately from common web browsing artifacts.
Each found artifact will have a file (if the artifact was found in a specific file) or physical offset (if the artifact was found
in unallocated or when using the sector search option) displayed in the lower details pane so you can find the same
artifact by using other 3rd party tools for validation and additional research.
The example above shows that IEF identified the Facebook Chat message “do you like fun?” Looking at the details of the artifact,
the source and physical location of the evidence are identified as Sector 11982396 and is found in unallocated space on an NTFS
image. Taking that information and verifying the details in Disk View using EnCase produces the same result.