Notifications
Clear all

Facebook URLs

10 Posts
5 Users
0 Likes
1,824 Views
(@twjolson)
Posts: 417
Honorable Member
Topic starter
 

Hello,

Is there a paper out describing the facebook URLs? So, if I can determine what each type means, what profiles they may have come from, etc.

Barring that, has anyone done a bunch of testing with facebook URLs that I can pick your brain?

Any help would be appreciated.

 
Posted : 27/05/2012 2:13 am
hcso1510
(@hcso1510)
Posts: 303
Reputable Member
 

I seem to recall a poster under the name DangerMouse mentioned doing a paper on Facebook a while back. Send him an email or PM.aybe he can help you. It's my understanding that while Facebook assigns url's for its members initially, they can be changed to a vanity url.

 
Posted : 28/05/2012 6:51 am
(@twjolson)
Posts: 417
Honorable Member
Topic starter
 

I am looking for interpreting picture URLs, rather than profile URLs (those are pretty easy.)

I sent him a message, but more help would be appreciated (since I don't know when/if he will log in before this case is put to bed).

 
Posted : 29/05/2012 8:37 pm
(@belkasoft)
Posts: 169
Estimable Member
 

Hello,

Is there a paper out describing the facebook URLs? So, if I can determine what each type means, what profiles they may have come from, etc.

Barring that, has anyone done a bunch of testing with facebook URLs that I can pick your brain?

Any help would be appreciated.

Some time ago I've seen an article called "Facebook Forensics". Maybe it helps?

 
Posted : 30/05/2012 8:59 pm
jeromey
(@jeromey)
Posts: 3
New Member
 

When I was in college I wrote a paper on Facebook Forensics discussing both the legal and technical aspects of such a case. I did my technical testing using my Facebook account, friend profiles, and public data posted by people I did not know.

My recommendation is to do some testing on your own using Wireshark and your Facebook account. Since Facebook does not store much information in cache, watching the data using wireshark will prove beneficial.

Take a look at the bottom of this user manual from X1 Discovery. They documented Facebook metadata for reference. This data along with your testing should get you what you need.

http//www.x1discovery.com/download/X1_Social_Discovery_User_Manual.pdf

Thanks

Jeromey

Hello,

Is there a paper out describing the facebook URLs? So, if I can determine what each type means, what profiles they may have come from, etc.

Barring that, has anyone done a bunch of testing with facebook URLs that I can pick your brain?

Any help would be appreciated.

 
Posted : 30/05/2012 10:14 pm
(@twjolson)
Posts: 417
Honorable Member
Topic starter
 

Thank you for the replies. The suggested resources may not have everything I need, but it's a great start. I can research the rest, I think.

 
Posted : 01/06/2012 6:11 pm
(@twjolson)
Posts: 417
Honorable Member
Topic starter
 

Ok, so after research, this is what I got, in case anyone after me needs this information. Facebook has a couple of different ways of naming images, so the below may not be correct for all image URLs. This is not meant to be exhaustive, as I could not decipher everything, and I restricted myself to pre-timeline profiles.

Small Profile Pictures URL begins with profile., the image name is three sets of numbers and a q. OF the three, the middle number group is the users profile number. This seems to be true for every small profile image, regardless of where its found (feed, photo comments, etc). For example, http//profile.ak.fbcdn.net/hprofile-ak-snc4/49865_[user number]_4231_q.jpg.

Main Profile Picture The main profile (non-timeline) picture is the same as above, but it has n in the filename. Example, http//profile.ak.fbcdn.net/hprofile-ak-snc4/70769_[user number]_2844677_n.jpg

Photo Album Photos thumbnails Those preceded by photos- are thumbnails seen while browsing the photo album. They have five number groups in the file name (third is the user's profile number), and end with an a. Example, http//photos-h.ak.fbcdn.net/hphotos-ak-ash3/168306_1796291510088_[user number]_2004440_6585801_a.jpg

Photo Album Full Size These are preceded with sphotos (or sometimes a[num].sphotos), have five groups of numbers in the filename, of which the 3rd group is the user's profile. They will end in N, but I suspect they could end in o. The file name between the thumbnail and full size image will be the same, save for the image size letter (a vs. n/o) Example, http//a3.sphotos.ak.fbcdn.net/hphotos-ak-ash3/562083_4029443577494_[users number]_3682467_1173265838_n.jpg

Alternate naming convention for images The other photos- image filename is a letter, and three number groups (rather than 5). Of the three groups, the first group is the users profile number. Example, http//photos-b.ak.fbcdn.net/photos-ak-snc1/v2672/184/3/508792327/a[user number]_1432859_1161200.jpg

External Images Images from websites other than Facebook (fbcdn.net). They have the form of external.ak.fbcdn.net/safe_image.php? and then an encoded URL. I noticed a lot coming from upload.wikimedia.org with a "&crop" string at the end. I don't know why.

Advertisments preceded by creative. Example, http//creative.ak.fbcdn.net/v565063/flyers/119/2/13373747992094722135_1_2dc88ae8.jpg.

Image Sizes
Each image has a letter as part of the file name. I've seen a, n, o, q, s, and these seem to be generic image sizes.
a Seen in thumbnail images. Limited to 180 pixels on width.
n Seen in main profile picture, Feed image thumbnail, and full size album picture. No common size was seen, but they are typically 'bigger'
o Also seen in full size images. This one seemed to be larger than the n images.
q Seen only in small profile images. File size was 50x50.
s Only seen in Friend's Photos on the side of the main page. These seem to be limited to 130 pixels width.

 
Posted : 06/06/2012 7:28 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Just a quick note that Facebook has changed its CDN URLs.
At the time of the question, one could have assumed a generic format of 5 number groups (2 IDs, 3 pseudo random obfuscators - one for each ID, one for all) plus image type indicator, shortened to three number groups for certain purposes (1 ID, 2 pseudo random; e.g. profile pictures without the content ID and its random number, or album pictures without the UID and its random number).
Today only file names with three number groups should be retrieved through a facebook page. However, the CDN retains files matching the old naming convention.

 
Posted : 16/11/2012 11:08 pm
(@twjolson)
Posts: 417
Honorable Member
Topic starter
 

One thing I have noticed in my current examination (unconnected with the one that spawned the original post).

As stated before, Facebook uses two types of Image URLs
<num 1>_<num 2>_<facebook ID num>_<num 4>_<num 5>_<size letter>.jpg
<num1>_<num 2>_<num 3>_<size letter>.jpg

I have noticed that when a image has both the long and short format (maybe the suspect visited the image previously before the files were renamed to the shorter format), in this instance both the first, second, and third groups of the short name correspond to the first, second, and last groups in the long file name.

That is to say that one can convert a long filename to a short one by taking out groups 3 and 4.

 
Posted : 04/12/2012 9:57 pm
(@c-r-s)
Posts: 170
Estimable Member
 

As stated before, Facebook uses two types of Image URLs
&lt;num 1&gt;_&lt;num 2&gt;_&lt;facebook ID num&gt;_&lt;num 4&gt;_&lt;num 5&gt;_&lt;size letter&gt;.jpg
&lt;num1&gt;_&lt;num 2&gt;_&lt;num 3&gt;_&lt;size letter&gt;.jpg

Again this info is outdated - in fact, I only commented on this, because it is outdated for the use in CDN exploitation, but might still be helpful for forensic artifacts.

The generic format formerly was

CIDrandom_CID_PID_PIDrandom_totalrandom_type.jpg

and could have been shortend to

CIDrandom_CID_totalrandom_type.jpg

for the purpose of privacy friendly linking. In this case, PIDrandom made it (a bit) difficult to check a PID against a shortened file name. The file with the short name could have been retrieved for _every_ photo having the long name. However, e.g. when parsing an album, photos were randomly delivered with long and short names.

Besides the generic format, there were special photo types, e.g. the pre-timeline profile picture, named like this

PIDrandom_PID_totalrandom_type.jpg

Their type indicator did not correspond to type indicators in albums/to the generic naming convention. So the subject of a "n" profile picture might have been found in a better resolution under generic naming as an "n" album picture in the "profile pictures" album.

Today's three number groups are completely different.

 
Posted : 04/12/2012 11:05 pm
Share: