Facebook activities have grown in popularity along with its social networking site. However, many cases involve potential grooming offences in which the use of Facebook platform and Facebook App for mobile needs to be investigated. As various activities such as instant chats, wall comments and group events could create a number of footprints in different memory locations, the purpose of this study is to discover their evidences on various platforms or devices.
The analysis process mainly uses various physical and logical acquisition tools for memory forensics, as well as Internet evidence finding tools for web browser cache searching or rebuilding. After locating the evidence of a Facebook activity, its footprints could be examined by referring to the response from corresponding Facebook communication. The same activity may be tested several times with different contents to increase the accuracy.
Throughout the research, there are some significant findings. Facebook core objects could be located in different memory units including RAM, browser cache, pagefiles, unallocated clusters and system restore point of a computer. More importantly, these findings are matched with those in virtual machines and the corresponding snapshot images. Although separate sets of results are obtained from iPhone or Android phone due to the difference between Facebook App and a standard web browser, evidence could still be located in the file system using mobile device forensics tools.
This is an abstract from the “Facebook Forensics” paper published by Valkyrie-X Security Research Group on July 5th. You can view it on Google Docs or download it in PDF format.