Join Us!

Facebook and data-d...
 
Notifications
Clear all

Facebook and data-date information  

  RSS
chroberts39
(@chroberts39)
New Member

Dear All

I am currently looking at a case with Facebook fragments being of interest, in particular, there is a piece of html code in pagefile.sys with a tag
data-date=\ then what appears to be a web server time stamp.

Can anyone shed some light on what the data-date info relates to and what can be stated evidentially. What I would like to say is that although the info is in the pagefile.sys, the date and time following the data-date tag is derived from Facebook's server.

Any comments much appreciated.

Colin

Quote
Posted : 28/03/2011 4:06 pm
chrisdavies
(@chrisdavies)
Member

did you get any information on this?

ReplyQuote
Posted : 10/04/2011 5:02 am
chroberts39
(@chroberts39)
New Member

Chris

Apologies for the delay, as you can tell, I did not get any replies however further experimentation drew me to the conclusion that it is a server generated date time stamp.

The relevance of this for me was to be able to say that even though the fragment was found within the pagefile.sys, it could be stated that the fragment found was of actual html code generated from facebook's server and the date time stamp is from facebook's server as is common in serverside scripting. The html generated is dependent on the site's owners/developers and is forever changing. As time has passed, it does not appear that facebook uses the tag in the same way now however, this does not alter my original assumption.

The important part here for me was to be able to say with a high degree of confidence that a user viewed a facebook page around a particular time.

Cheers,

Colin

ReplyQuote
Posted : 10/12/2011 4:44 pm
96hz
 96hz
(@96hz)
Active Member

I just wanted to ask, that presumably the date stamp was within the data structure of the recovered HTML you were looking at and was it this or another reason that meant it could definitely be associated with what you were looking at ?

ReplyQuote
Posted : 10/12/2011 5:35 pm
chroberts39
(@chroberts39)
New Member

Yes that is correct, and since the output html code derived from face book's server, I was looking to ascertain if the date time stamp also derived from them, as opposed to host side. In which case, the artefact I was interested in came in to being round about the server timestamp.

I am sure there are other issues similar to this from items recovered from pagefile.sys or live forensics that focuses more on understanding the html code.

ReplyQuote
Posted : 11/12/2011 1:54 am
Share: