Social Discovery Pr...
 
Notifications
Clear all

Social Discovery Project help

9 Posts
3 Users
0 Likes
431 Views
(@dermot29)
Posts: 15
Active Member
Topic starter
 

Hey all. I'm a third year Digital Forensics Student currently looking at the area of Social Discovery and evidence recovery from social networking sites such as Facebook and twitter. For my assignment I am required to develop a tutorial in some particular area of digital forensics. I am looking closely at this area because I think its new and relevant today. The problem I am having is I cannot find any good free tools to work with.

My idea is to set up a few social networking accounts and create a scenario that may involve something such as a suspicious death. I want to be able to have evidence on these accounts that something suspicious may have been going on between the account holders, and I want to be able to reach a fairly straightforward conclusion from the evidence I recover.

I am looking for any helpful advice. I have applied for some free trial versions of software such as x1 social discovery, which seems to have the best rep on the web. I have not received any reply from two requests, probably because I'm a student. I have loked a software from Afentis Forensics, but it does not seem very good on first try. (Poor interface and structure)

I would welcome any recommendations on tools or any ideas on other tools I could use such as FTK, which may work for this.

I am also eager to find out exactly what kind of information you can recover from facebook/twitter other than posts, images, videos and chat history.

Is there anything more in depth that can be recovered ?
Are there any other tools I should be looking at ?
Are there any other folders/locations/files that I should be looking at ?

Sorry, that's quite a long post.
I intend to use a windows laptop for this assignment and perhaps an android and apple phone .

Thank you for your advice

 
Posted : 07/04/2014 7:22 pm
(@a-nham)
Posts: 32
Eminent Member
 

I am not completely sure if what you are trying is exactly what I am thinking, but i think the following info may be helpful.

Check out bulk_extractor. It is a file carving tool and can be used to extract certain social media account(s) info and certain interactions that have occurred. I don't remember if the actual posts will be extracted, but it does extract some information on accounts for sure. I think it is even open source, but don't quote me on that; however, there is definitely a windows version.

someone (not me, credit goes to him completely) has already one a bit of research on this topic, which may help you
https://www.youtube.com/watch?v=57RWdYhNvq8

link to bulk extractor
http//digitalcorpora.org/downloads/bulk_extractor/

If you are interested in images too, you may also want to just go and do a more old school browser analysis. This will also gives you some visited links and visited pages, which may be good for correlation of events and timestamping. Internet Evidence Finder by magnet forensics is a software that I can think of off the top of my head; however there are definitely other options, which i unfortunately I dont remember off the top of my head . If you are interest in using this path of analysis on your homework, just reply back I'll try and find you some more.

some of the artifacts supported by ief
http//www.magnetforensics.com/software/internet-evidence-finder/supported-artifacts/

Suggestion
VMs are your friend if you are a student like me; this can keep your test bed clean of your personal data (making searching easier) and you can network them together quite easily. This may make your demo easier. But this is just a suggestion, use whatever you have access and are familiar to.

Can't really tell you if you will find anything more in depth, especially with constant changes in security implementations by these social media companies. Hope this was the actual topic that you were interested in and hope this was helpful.

 
Posted : 08/04/2014 7:35 am
(@dermot29)
Posts: 15
Active Member
Topic starter
 

a.nham, thanks for the reply. Some really useful advice there. I am now looking at all these tools for my assignment. I am currently downloading vmware. When I initially started this, I thaught virtual machines would be useful. Problem is, I'm only used to using Oracle Virtualbox, which is fine for operating systems and networking.

I could really use some advice on vmware. I understand it is useful for investigations and for loading images to their original operating system. I am not sure how they can be used academically

Is it possible to set up a virtual machine on vmware and capture an image of its storage for analysis on my host. Will this storage contain all the artifacts I need to acquire ?

Any advice would be great. I'm just not sure how I can interact with the evidence/storage on the virtual machine
, also which version of vmware should I be using. Im currently installing workstation 10, to see what I can make of it

Thanks again

 
Posted : 12/04/2014 4:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Problem is, I'm only used to using Oracle Virtualbox, which is fine for operating systems and networking.

ALL VM's work by the same principles.

There are not any particular differences in using a VMware when compared to VirtualBox, the "theory" is the same.

A "virtual" hardware is emulated/simulated, making use of a "virtual mass storage device" (a hard disk drive/floppy/CD image).

Consider how you can use RAW disk images in VMware, see
http//sanbarrow.com/vmdk/disktypes.html

Though also a "static" VHD is nothing but a RAW image with a single sector appended and hard disk images formats can be translated forth and back easily.

And do not underestimate the convenience of Qemu (though slower).

The point is if you want to actually boot the disk image in the VM (which most liklely wont' work because of "wrong" hardware drivers and in any case would not be "forensic sound").

There is a tool if you want to explore that direction
http//liveview.sourceforge.net/

jaclaz

 
Posted : 12/04/2014 6:55 pm
(@a-nham)
Posts: 32
Eminent Member
 

jaclaz is right, all vm should, for your purpose, function about the same. If you are more familiar with Virtualbox use that, it should still let you network computers just as well as any other VM. Version do not matter that much as long you use the same one for all your test subjects (exception being compatibility and unexpected bugs).

Without taking the all the fun and work out of your project, what i would personally do is a clean install on your vm, take a snapshot, do one variable, snapshot, use originals clean install snapshot repeat process until you have it all (you can also do multiple installs…no real difference). Then map it to your test vm (or just your actual os) and do your forensics work on it. A mapped vm should be able to detect the vm for you to do forensics or you can convert to dd and do forensics on the actual os. Obviously, there are many ways to do this process, mines are just examples of what is possible.

The academic part is doing this like a science lab, do it variable by variable as consistently as possible. For example, if you do facebook.com alone for one vm, don't go go to ebay before going to twitter on your next one. This could invalidate your results as one can claim ebay may have corrupted your twitter results or the lack of ebay on your facebook could be a lack of a controlled variable (equally invalid). Also don't do all your images in one test, for example, don't do facebook then continue with twitter on the same vm. This could invalidate your results as your facebook results could have corrupted your twitter results (vice versa). These are just academic claims, actual corruption may not have occurred.

This link may be a better explanation to your problems with evidence gathering than my own (it also explains why jaclaz recommend Qemu)
http//www.forensicfocus.com/Forums/viewtopic/printertopic=1/t=10862/start=0/postdays=0/postorder=asc/vote=viewresult/

Hope this helps

 
Posted : 13/04/2014 7:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Should you go for the Qemu way, this might be of use
http//reboot.pro/topic/18718-cannot-get-winvblock-to-work/#entry174778
Qemu Manager is a Graphical interface that can be useful for someone starting to deal with Qemu.

jaclaz

 
Posted : 13/04/2014 3:30 pm
(@dermot29)
Posts: 15
Active Member
Topic starter
 

Thanks all for your advice. I do realize that virtualbox and vmware do the same thing. I just thought that vmware might have had more beneficial uses for investigations, more workable file formats etc, and it seems it does.

In relation to my assignment. I have now decided to narrow the scope considerably. I have too many assignments and too little time left in the semester. I now hope to create a tutorial that will act as an introduction to social networking and forensics. It basically has to be something that first years can look at and follow easily. I found this informative paper on the web and want to explore some of the areas mentioned in it

http//www.fbiic.gov/public/2011/jul/facebook_forensics-finalized.pdf

I would like to use a virtual machine image as my target of analysis, but I am still a little confused with how exactly I can convert say, a virtual box vdi image to dd. I am looking at qemu-img convert, but this seems linux based. Anyway , If I manage to convert a windows 7 machine vdi to dd, will this dd image have all the directory structures of windows that were on it.
Just to clarify exactly what I'm trying to do here

I need to have a tutorial with a piece of test data, ie,(the raw image). This image will contain files folders which will contain areas such as browser cache that I can recover some evidence from using some common tools. I need to be able to provide this tutorial and image to first years next year so that they can follow it and get the same results using the same tools I did. Any extra help would be great.

 
Posted : 14/04/2014 3:02 am
(@a-nham)
Posts: 32
Eminent Member
 

What vm you use it totally up to you, i just thought that you would chose what what you are familiar with. If Vmware came with more benefits for you, feel free to use it. From what I know, qemu is just command line based, it is not exclusive linux.

First, I need to say that I have not personally done any forensics analysis from a qemu converted dd image so take what I am about to say about conversion as a grain of salt. But yes, your converted dd image should "in theory" be a volume, so it should have all the file system stuff for you to carve.

again, as jackel said qemu manager if you are less familiar with qemu
http//wiki.laptop.org/go/Using_QEMU_on_Windows

I'm sure you know this already, but you can't do a complete demo of what you are doing in 3 hours or less. Either you have to shrink your evidence to just carving the ones you need or you have to just show how to do it and tell them the results. File carving and ram analysis are not exactly the fastest or least processor intensive tasks in the world. You can do a tutorial, not problem, just not a full live demo.

Freshman following it may be a bit of a problem for you. For one carving is time and cpu intensive. I am not sure about your school, but at mine and at certain certificate programs, all of the forensics tools are on a windows VM on a university server, so if everyone uses the cpu at 100%, the server may crash. Secondly, I remember you having problems getting a trial to some tools, don't know if you have all of them already, but if you are to reproduce the results with the students, they also need the tools too. You need to decide on asking for trials for all of them or just using what your school already has. Lastly, I took a super brief look at some of the tools that was used for the facebook analysis and I am not sure how many of those tools you currently have access to through your university or personal licensing, but you may have to just use open source alternatives for anything you don't already each (if such a product exists), if you want to avoid the second problem.

Hope this info helps.

 
Posted : 14/04/2014 7:07 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I guess I will need to bite 😯 wink .

FORGET (temporrarily) about Virtualbox's VDI.

Virtualbox can use VMWare VMDK Images fine.
http//www.virtualbox.org/manual/ch05.html#vdidetails

Among ALL the available VMWare image formats, AFTER having read fully this (already given page)
http//sanbarrow.com/vmdk/disktypes.html
AND this page (same site)
http//www.sanbarrow.com/vmdk-basics.html
choose to use the "monolithic-flat" type ONLY.

This is made of two parts

  1. the "real" image <- this is a "dd like" image
  2. the descriptor file for it
  3. [/listo]

    You can create the descriptor file manually, see
    http//sanbarrow.com/vmdk-howtos.html

    If you want to use MS virtual PC, then you have to add a descriptor sector to the image (last, appended sector is the Connectix descriptor).

    The tool Clonedisk
    http//labalec.fr/erwan/?page_id=42
    can manage these conversions to/from a "plain" dd image automatically

    jaclaz

 
Posted : 14/04/2014 2:08 pm
Share: