I have a case that requires the retreaval of Facebook Private Messages from a laptop computer. Has anyone come across this in the past and if so where would be the best place to start looking for these files. The IE is set to delete history when closed so there is no internet history on the computer. Any help that you can provide would be great.
Is it a specific message to a person?
Often the best bet is to get it from the other persons computer if possible. If the person has deleted the messages from their account then chances of recovering them are slim.
Do you know the content of the messages? Often a keyword search for some unusual terms used is a good start.
Failing that there will be artifacts left behind in a few places such as RAM, web browser cache, the pagefile, unallocated clusters and system restore points.
IEF from Magnet forensics is a good tool for recovering facebook data.
Good luck
If you can get into the Facebook account you can download them fairly easily.
If you can get into the Facebook account you can download them fairly easily.
With the appropriate court order or written authorisation of the account holder, this may be a good option, however trying to access without this would be considered a criminal offence in many places 😉
There are no files for Facebook private messages. They are stored on Facebook servers only. However, there are some chances that you can find them in hibernation or pagefile. You can download our Belkasoft Evidence Center, which supports analysis of both types of files and is free to try at http//
If you can get into the Facebook account you can download them fairly easily.
With the appropriate court order or written authorisation of the account holder, this may be a good option, however trying to access without this would be considered a criminal offence in many places 😉
I didn't say hack, I just said access P I've been given permission to access an account as well as court orders.
Good afternoon Frostyx4,
Facebook communications are stored directly on the system servers, and so whilst you may find cached copies on the localhost of the sender/recipient, you may be best going to the source.
You can secure a production order/subpoena to have copy records served direct, or if you have authorised access to the account for either party to the exchange, then consider using an automated tool to log in and capture the communications.
Regards,
Ross
Thank you all for you help, this has given lots of information. I can now go back to the client and explain in more details what I had previously said about the Private Chat on Facebook. The member has his IE set to delete all history when closed, and he had deleted the chat from his facebook account. The info they were looking for was over a year old, and I had already explained the odds of recovery was very slim to none. Again Thank You all for your input and information.