We have imaged a MacBook Pro (late 2011 model) using FTK Imager. We have processed the case using FTK 3.3 with Oracle. We attempted to process it several times using FTK 4.2 and 4.1; however, the process continued to fail due to (still unresolved) memory issues. So, we opted to attempt to process it using 3.3 with Oracle, and it finally completed processing. We're currently installing the update 4.2.1, and we will attempt to process the case again.
Our primary goal is to recover content of Facebook Chat/Messages. We know the user used Facebook Chat/Messages, and we know there are thousands of visits to Facebook. We know the user had two Facebook Apps installed on the laptop. Yet, we have yet to recover a single Facebook message (or artifacts of Facebook Chat/Message content, properties of a message, message/conversation ID's, etc.).
We have previously recovered several hundred Facebook Chat/Messages on a laptop with Windows. Those artifacts were identified using manual searching, custom carving, and IEF. One of the two formats we recovered/identified is the same as identified in this .pdf report by Marshall University
This report also indicates that the only Facebook Message artifacts recovered from Safari were messages that were "already read", and that they were unable to recover sent messages or new inbox messages. We have visits to the user's Facebook Message page, which has "already read" messages. Yet, we still can not identify any message content.
We also have numerous webpage previews (deleted and undeleted) which show Facebook page previews, including a shot of the User's Notification drop-down menu; however, we have no images of the messages window. This is despite the fact that we have visits to the messages page.
Has anyone successfully recovered Facebook Chat/Message content from a MacBook Pro where the user was using Safari/another app? The user did not back-up the phone to the computer, so examining mobile content is not possible, and the user did not back-up the computer itself. So, besides any messages that would appear in the backups, does anyone have any suggestions/ideas for how to recover (or at least identify) any data, whether it's in allocated/unallocated space. Or, does anyone know exactly why we are not seeing any of this data? Any help/suggestions would be much appreciated.
Hi Laura,
Facebook chat and other artifacts like emails, wall posts, etc. can be hard to come by these days as Facebook no longer writes much to disk anymore, especially in regards to chat. Your best bet is finding artifacts in RAM captures, and/or the sleepimage/swap files. However, depending on settings and the version of the OS, those files could be encrypted. On a Windows system, you can still find chat artifacts in the pagefile.sys and hiberfil.sys files.
If you have done some manual searches (using keywords along the lines of "msg"{"text"" ) and haven't found anything, I'd say there's a good chance that there is no Facebook chat on that drive, unfortunately.
As for the zero length plist files, it could be that they really are zero length files. Do you have any other forensic software to open the image with to verify this?
Regards,
Jad
I can recommend trying Belkasoft Evidence Center. After all, this kind of a job is exactly what we made the product for. We support MacOS X images, even though the actual analysis will take place on a Windows PC. You can get a trial version here http//
Okay, I figured out why I was getting the zero-length files. The short reason is I was looking in the wrong place.
I appreciate both of you responses. I'm downloaded and run IEF without any luck, now I'm going to try Belkasoft's program.
I'm guessing now the real problem is what Jad mentioned…the swapfile/sleepimage files being encrypted. Any suggestions about how to tackle that? It seems like I'll have a greater chance of recovering something with IEF if I can access those files.
Thank you again for your help.
Neither hiberfil.sys nor page file(s) are encrypted, but hiberfil.sys is compressed. Pretty much any forensic tool, including our own, can decompress the hibernation file. Or you can check out the following links
http//
and
http//
Hi Laura,
Glad to hear you're getting somewhere.
Unfortunately I'm not aware of anything that can decrypt the swap/sleepimage files if encryption for those files was turned on.
On Windows, the pagefile.sys can also be encrypted but by default is not. The hiberfil.sys can't encrypted but is compressed. None of this is applicable to you however, since you are working with a Mac image.
You may want to contact the good people at Blackbag to see if they have any suggestions for the swap/sleepimage files.
Good luck,
Jad