Hello everyone,
Does anyone know if it's still possible to recover facebook chat artifacts through EnCase?
I've been testing with a VM and chatting around, doing keyword searches. But nothing comes up. Am I missing something, or did Facebook changed their way of storing information on the system?
What search string are you using?
i saw an EnScript somewhere once that did search and find i will try and dig it out
The search strings I used were the words that were sent/received throughout the conversation.
You can find an Encase Script
In case you want to find the strings on your own try [{„msg“{text“ because every chat starts with it. As far as I found out yet chats are only stored in the temporary internet files or their remainings.
Regards and let me know if it worked for you )
The EnScript isn't producing any results, just empty CSV files. I think it might be outdated. Facebook probably changed their structure, as the script is already 1 year old.
I'm only finding some messages in the System Volume Information, any thoughts?
Not finding anything in the temporary internet files.
I know that EnCase is capable of recovering FB chat fragments; I assisted an LE who had done exactly that, and asked for my help in reassembling the conversation. They provided me with some samples and I wrote a script that ran through several hundred extracted JSON segments and reassembled the conversation, in order.
It's not encase but i found the best way to get back facebook chats and IE carved data is http//
You can extract Facebook chats with the help of Belkasoft Evidence Center tool and then import them back to EnCase v.7 using a free EnScript provided here http//
As I'm a student, I can't buy expensive software.
The main goal of the project is to extract chat conversations through EnCase.
Are the messages encrypted or something? Because I only find some messages in the System Volume Information and the $LogFile.
@keydet89, would you mind sharing your script?