Facebook Private Me...
 
Notifications
Clear all

Facebook Private Messages

8 Posts
6 Users
0 Likes
926 Views
(@frostyx4)
Posts: 11
Active Member
Topic starter
 

I have a case that requires the retreaval of Facebook Private Messages from a laptop computer. Has anyone come across this in the past and if so where would be the best place to start looking for these files. The IE is set to delete history when closed so there is no internet history on the computer. Any help that you can provide would be great.

 
Posted : 29/08/2013 8:59 pm
(@ali-b)
Posts: 16
Active Member
 

Is it a specific message to a person?
Often the best bet is to get it from the other persons computer if possible. If the person has deleted the messages from their account then chances of recovering them are slim.

Do you know the content of the messages? Often a keyword search for some unusual terms used is a good start.

Failing that there will be artifacts left behind in a few places such as RAM, web browser cache, the pagefile, unallocated clusters and system restore points.

IEF from Magnet forensics is a good tool for recovering facebook data.
Good luck

 
Posted : 29/08/2013 9:15 pm
(@sgreene2991)
Posts: 77
Trusted Member
 

If you can get into the Facebook account you can download them fairly easily.

 
Posted : 30/08/2013 3:20 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

If you can get into the Facebook account you can download them fairly easily.

With the appropriate court order or written authorisation of the account holder, this may be a good option, however trying to access without this would be considered a criminal offence in many places 😉

 
Posted : 30/08/2013 5:43 am
(@belkasoft)
Posts: 169
Estimable Member
 

There are no files for Facebook private messages. They are stored on Facebook servers only. However, there are some chances that you can find them in hibernation or pagefile. You can download our Belkasoft Evidence Center, which supports analysis of both types of files and is free to try at http//belkasoft.com/trial.

 
Posted : 30/08/2013 10:40 am
(@sgreene2991)
Posts: 77
Trusted Member
 

If you can get into the Facebook account you can download them fairly easily.

With the appropriate court order or written authorisation of the account holder, this may be a good option, however trying to access without this would be considered a criminal offence in many places 😉

I didn't say hack, I just said access P I've been given permission to access an account as well as court orders.

 
Posted : 04/09/2013 3:19 am
(@afentis_forensics)
Posts: 47
Eminent Member
 

Good afternoon Frostyx4,

Facebook communications are stored directly on the system servers, and so whilst you may find cached copies on the localhost of the sender/recipient, you may be best going to the source.

You can secure a production order/subpoena to have copy records served direct, or if you have authorised access to the account for either party to the exchange, then consider using an automated tool to log in and capture the communications. www.facebookforensics.com might do the trick, as well as capture all media/timeline/posts, generate audit logs and screen captures. If you want to send me a PM, I'll be able to give you some advice on Data Retention policies at FB and arrange for a licence - hope it helps with your casework.

Regards,
Ross

 
Posted : 04/09/2013 5:07 pm
(@frostyx4)
Posts: 11
Active Member
Topic starter
 

Thank you all for you help, this has given lots of information. I can now go back to the client and explain in more details what I had previously said about the Private Chat on Facebook. The member has his IE set to delete all history when closed, and he had deleted the chat from his facebook account. The info they were looking for was over a year old, and I had already explained the odds of recovery was very slim to none. Again Thank You all for your input and information.

 
Posted : 12/09/2013 12:36 am
Share: