Facebook Chat fragments

Facebook chat fragments can be found in unallocated clusters.

I am not sure what your program will do but if it could search unallocated clusters and display the results in an easily read report it would be very useful.

I would recommend that you look at Internet Evidence Finder (JAD Software)

I find this a very good tool for Facebook Chat.

Best of luck with the program

Facebook chat fragments are often found in files that have names such as 'p_<profile number>…txt'
I did a video of this a couple of years ago. Facebook has changed a bit since then but I think some of it still applies
http//forensic4cast.com/2008/06/04/facebook-video/

Does anyone know if facebook chat fragments are stored anywhere else other then pagefile.sys/hiberfil.sys?

Thanks in advance

(i am doing my final year project and creating a program that will display facebook chat fragments.)

I am doing a conference paper on this at the moment about the same. There is already a program. There is one here and one here.

Unallocated clusters is a good place to look. I would do a GREP search for the following string (which is unique to the start of the fragment).

for (;;);{"t""msg", the footer for these is }]}

Also Facebook chat is in JSON.

Send me a message if you want some more info.

DM

I am doing a conference paper on this at the moment about the same. There is already a program. There is one here and one here.

DangerMouse, you rock. R U gonna publish the paper or are we going to have to buy it?

Paul

R U gonna publish the paper or are we going to have to buy it?

As it is part of my Masters, as well as a conference paper, once it is finalised and marked I see no reason in not putting it out there. I may have to get it reviewed first though. Mine is only dealing with dead box forensics, not artefacts in memory or network captures.

There is probably a good paper in network captures of Facebook artefacts within private enterprise and the like.

Cheers,

DM

There's plenty of information about facebook around, such as on Richard Drinkwaters blog at http//forensicsfromthesausagefactory.blogspot.com/
And (as mentioned on there) Jad's program IEF is very good at recovering Facebook artefacts (amongst other things).
But if being more thorough, (as with everything) you will probably be able to carve out even more manually if you test yourself and create some smaller strings to carve out partial fragments (as i found useful on a few defence jobs relating to FB).
Rich

I think you might want to expand your project to cover more than just facebook chat parsing, I've just written a parser, it took about 4 hours of wrestling with Enscript (didnt like the existing implementations). Why not include some of the other nice stuff from facebook? Whos logged in and when? whos on their friendslist? what wall posts have they made? have they received any private messages? are they going to any events?

A final year project should be challenging if you want to get the credit you deserve.

thanks so much for the information.

I am just doing my research now and starting my aims and objectives will have a much clearer picture of what we are trying to achieve hopefully over the next couple of days.

Yeah JADSoftware was where we got the idea for this from, not used it in the real world but from a studying point of view its seems fantastic product.

again thanks very much

will keep u updated of how we are getting on and hopefully maybe you can see the product itself if we can get it working.

Xennith

hopefully through our research we will be able to add these to the search and be able to display different types of information for the examiner.

we just got to find out what is possible and what isnt!!

)