±Your Account
Membership:
New Today: 4
New Yesterday: 11
Overall: 24360
Visitors: 50
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2
Again: this info is outdated - in fact, I only commented on this, because it is outdated for the use in CDN exploitation, but might still be helpful for forensic artifacts.
The generic format formerly was
CIDrandom_CID_PID_PIDrandom_totalrandom_type.jpg
and could have been shortend to
CIDrandom_CID_totalrandom_type.jpg
for the purpose of privacy friendly linking. In this case, PIDrandom made it (a bit) difficult to check a PID against a shortened file name. The file with the short name could have been retrieved for _every_ photo having the long name. However, e.g. when parsing an album, photos were randomly delivered with long and short names.
Besides the generic format, there were special photo types, e.g. the pre-timeline profile picture, named like this:
PIDrandom_PID_totalrandom_type.jpg
Their type indicator did not correspond to type indicators in albums/to the generic naming convention. So the subject of a "n" profile picture might have been found in a better resolution under generic naming as an "n" album picture in the "profile pictures" album.
Today's three number groups are completely different.
Facebook URLs
Re: Facebook URLs
Posted: Fri Nov 16, 2012 1:08 pm
Just a quick note that Facebook has changed its CDN URLs.
At the time of the question, one could have assumed a generic format of 5 number groups (2 IDs, 3 pseudo random obfuscators - one for each ID, one for all) plus image type indicator, shortened to three number groups for certain purposes (1 ID, 2 pseudo random; e.g. profile pictures without the content ID and its random number, or album pictures without the UID and its random number).
Today only file names with three number groups should be retrieved through a facebook page. However, the CDN retains files matching the old naming convention.
At the time of the question, one could have assumed a generic format of 5 number groups (2 IDs, 3 pseudo random obfuscators - one for each ID, one for all) plus image type indicator, shortened to three number groups for certain purposes (1 ID, 2 pseudo random; e.g. profile pictures without the content ID and its random number, or album pictures without the UID and its random number).
Today only file names with three number groups should be retrieved through a facebook page. However, the CDN retains files matching the old naming convention.
-
C.R.S. - Member
Re: Facebook URLs
Posted: Tue Dec 04, 2012 11:57 am
One thing I have noticed in my current examination (unconnected with the one that spawned the original post).
As stated before, Facebook uses two types of Image URLs :
<num 1>_<num 2>_<facebook ID num>_<num 4>_<num 5>_<size letter>.jpg
<num1>_<num 2>_<num 3>_<size letter>.jpg
I have noticed that when a image has both the long and short format (maybe the suspect visited the image previously before the files were renamed to the shorter format), in this instance both the first, second, and third groups of the short name correspond to the first, second, and last groups in the long file name.
That is to say that one can convert a long filename to a short one by taking out groups 3 and 4.
As stated before, Facebook uses two types of Image URLs :
<num 1>_<num 2>_<facebook ID num>_<num 4>_<num 5>_<size letter>.jpg
<num1>_<num 2>_<num 3>_<size letter>.jpg
I have noticed that when a image has both the long and short format (maybe the suspect visited the image previously before the files were renamed to the shorter format), in this instance both the first, second, and third groups of the short name correspond to the first, second, and last groups in the long file name.
That is to say that one can convert a long filename to a short one by taking out groups 3 and 4.
-
twjolson - Senior Member
Re: Facebook URLs
Posted: Tue Dec 04, 2012 1:05 pm
- twjolson
As stated before, Facebook uses two types of Image URLs :
<num 1>_<num 2>_<facebook ID num>_<num 4>_<num 5>_<size letter>.jpg
<num1>_<num 2>_<num 3>_<size letter>.jpg
Again: this info is outdated - in fact, I only commented on this, because it is outdated for the use in CDN exploitation, but might still be helpful for forensic artifacts.
The generic format formerly was
CIDrandom_CID_PID_PIDrandom_totalrandom_type.jpg
and could have been shortend to
CIDrandom_CID_totalrandom_type.jpg
for the purpose of privacy friendly linking. In this case, PIDrandom made it (a bit) difficult to check a PID against a shortened file name. The file with the short name could have been retrieved for _every_ photo having the long name. However, e.g. when parsing an album, photos were randomly delivered with long and short names.
Besides the generic format, there were special photo types, e.g. the pre-timeline profile picture, named like this:
PIDrandom_PID_totalrandom_type.jpg
Their type indicator did not correspond to type indicators in albums/to the generic naming convention. So the subject of a "n" profile picture might have been found in a better resolution under generic naming as an "n" album picture in the "profile pictures" album.
Today's three number groups are completely different.
-
C.R.S. - Member