Facebook chats

Are the messages encrypted or something? Because I only find some messages in the System Volume Information and the $LogFile.

The messages are not encrypted, they are simply not stored. What you can find is only remnants in pagefile or hibernation file.

So you are saying the messages are clear text? Also is it untrue that messages are left in the temporary internet files?(Like someone said in this topic).

I'm having some succes with those search strings
"message" OR "msg_body" these points me to the System Volume Information/$LogFile.

Only found 1 word so far in the pagefile.sys.

Will continue with my research and keep you updated.

So you are saying the messages are clear text? Also is it untrue that messages are left in the temporary internet files?(Like someone said in this topic).

I'm having some succes with those search strings
"message" OR "msg_body" these points me to the System Volume Information/$LogFile.

Only found 1 word so far in the pagefile.sys.

Will continue with my research and keep you updated.

This is JSON, not completely plain text. Facebook used to keep something in the cache (IE only), but does not keep it anymore, at least per my knowledge.

Yes, I guess LogFile can store such info too per its nature.

keydet, how long ago?
because as far as i know facebook chats radically changed structure and behaviour during the past few months (id's say 1 month and half).

i had a script that was able to carve facebook chats and software that was able to recover profiles from images names, they both don't work anymore.

If you found remnants in a Volume Shadow Copy, then you should mount it and retry your search. Here's a tutorial on how to do that in EnCase by the ever-brilliant Simon Key.

Facebook has indeed radically changed the way it stores chat messages, however it has always tended to save them as a JSON - it's just the structure of the JSON which has changed, and whether the message is embedded in a web page or not. You might want to do a little research into them (try here) if you do recover the chat, in order to know what you're looking at and how to parse it correctly.

Good luck! )

If you found remnants in a Volume Shadow Copy, then you should mount it and retry your search. Here's a tutorial on how to do that in EnCase by the ever-brilliant Simon Key.

As Volume Shadow Copy is just a folder, it can be easily viewed with many file manager tools, such as, for example, FAR Manager. No mounting required, just enter the folder and inspect files with file viewer, copy files to other folders and so on.

I mean individual shadow copy volumes, not the "System Volume Information" folder itself. If he's found fragments of chat within a shadow copy volume, then if he wants to use EnCase to examine them then the link I provided is a good start.

I am not aware of any file manager which allows extraction of data from shadow copy volumes. Happy to be proved wrong!

Hi Jaappie.

IE9 seems don't to save chats in Temporary Internet Files. I've only found data in Volume System Information.

It's very easy to found it by searching the key

for (;;);{

That key is always the beginning of a Facebook JSON data.

Best regards. Roberto Blasco.

@ jaappie - Check out Encase on Demand. There are 3 free on demand presentations and recovering Facebook chats are one of them, watched it this morning. It describes the procedure in a step by step detail.

The EnCase video of Facebook is from 2009 already, right? It's outdated and almost useless at this moment.

It's really hard to find facebook messages, because everytime the structure of the message is different. And sometimes I only find the text of the message without any form of structure.

Edit Right now I'm finding parts of conversations in Chrome. It's in the AppData\Local\Google\Chrome\User Data\History Index. Conversations are in clear text without any structure, it contains the name and date, that's all.