Notifications
Clear all

Facebook  

  RSS
Pachino
(@pachino)
New Member

Ok so herres the situation, i'm a student and i have recently handed in the following proposal for an experiment.

Summary
For this experiment I will be searching for artefacts that have been left after two people have a conversation using Facebook’s chat facility, more specifically I will be looking for any records of the actual conversation itself.
In order to find the Facebook chat conversation I will be running keyword searches for fragments of a dummy conversation that I will have between my own account and a fake one that will be set up.
It is my intention to confirm that the format of the artefacts left behind conform to those found in my reading, (JSON (JavaScript Object Notation) based on javascript is built on two structures objects and arrays). If this is the case then I will go on to use the profile ID of one of the accounts in the conversation, in a keyword search that will hopefully reveal the location of more artefacts or any missing fragments of the dummy conversation.

Depth
Within the artefacts that are expected there will be a Unix timestamp that I will decode, this should give the time that it’s ‘parent’ message was sent. There should also be a message ID, which is a unique identifier for the message, this could be useful in proving that the discoveries made are not forgeries because it should allow an investigator the opportunity to contact Facebook in order to retrieve the message from their end thus ensuring that the evidence will stand up in court.

I have also been told that, because somebody else on my course is proposing a similar experiment, we should collaborate and our proposals should go hand in hand. This leaves two options available to us;
1. we can either broaden our project to include more Facebook related points of interest.
2. we could remain on the path set out in my proposal but go into more depth.

In regards to my first option, i have been searching for any articles written about facebook artefacts and have been coming up blank, this is mainly because i don't know what it actually is that I am looking for. In regards to my second option, I can't think of any way to bulk it out.
I would appreciate any thoughts that you have or suggestions on how to make my assignment moree complex

Thanks.

Quote
Posted : 14/01/2011 3:21 am
joachimm
(@joachimm)
Active Member

Seeing that you're still learning let me give you some food for thought.

In regards to my first option, i have been searching for any articles written about facebook artefacts and have been coming up blank, this is mainly because i don't know what it actually is that I am looking for.

Consider yourself in a real-life investigation
How would you determine what you are looking for ?
How would you determine which artefacts (e.g. files) could be of interest ?

I would appreciate any thoughts that you have or suggestions on how to make my assignment moree complex.

Some suggestions that come to mind
* recovering deleted or remnant fragment;
* any other artefacts the facebook artefacts can be linked to;
* behaviour of the artefacts in different scenarios

ReplyQuote
Posted : 14/01/2011 3:56 am
DangerMouse
(@dangermouse)
New Member

…facebook artefacts and have been coming up blank, this is mainly because i don't know what it actually is that I am looking for. In regards to my second option, I can't think of any way to bulk it out.

Having written a conference paper on the topic of Facebook Forensics, including the chat fragments, I offer the following advice (I am making the assumption this would be for law enforcement);

What do you use Facebook for?
What use of your profile do you think would be of interest to Law Enforcement?
What sort of interactions would be given more weight in a court or investigation?
What has Facebook been used for in offences previously?
What are some of the services Facebook has that you think may be of interest to LEA?

From your original post I hold the following concerns and suggestions;

* Your experiment is limited in scope as chat fragments are very easy to identify on the device, either in unallocated clusters (if deleted) or within the cache areas of web browsers.

* The chat fragments follow in a defined JSON format as indicated in the links in the first post that you provided (the one with the lmgtfy link ) ) The sausage factory has some great articles and tools for Facebook Chat.

* How about analysing chat fragments within memory?

* What about chat artefacts on mobile devices?

* What about the identification of chat fragments within different browsers / operating systems?

There should also be a message ID, which is a unique identifier for the message, this could be useful in proving that the discoveries made are not forgeries because it should allow an investigator the opportunity to contact Facebook in order to retrieve the message from their end thus ensuring that the evidence will stand up in court.

I disagree entirely with this view. Why do you need to retrieve it from'their end'? Is it not evidence from the device that there has been Facebook chat with reference to the artefacts located? From my research the message ID is an identifier only between the two persons chatting and is used to stop messages from 'clashing'. Look at the Developer information provided by Facebook. From what I read they are not stored by Facebook. Also, if you are outside of the US, like us in Australia, you would be waiting a long time for any such information due to the legal process of obtaining information by warrant in a foreign country.

Taking the above into account and entirely contradicting myself, you could do an experiment with your collaborator and insert chat artefacts onto the device and see if you can determine whether they are legitimate. Think MAC times on Windows machines, User Assist locations other artefacts which may indicate a creation by the user and not the Facebook chat application.

To preempt the question, I am unable to supply a copy of my paper as I wrote if for law enforcement and am not releasing it outside of that environment, nor am I comfortable in its release outside of Australia.

I know this has been covered at length before in another thread, but students need to be able to formulate their own, unique and robust experiments and ideas.

DM

ReplyQuote
Posted : 14/01/2011 10:31 am
Chris_Ed
(@chris_ed)
Active Member

From what I read they are not stored by Facebook.

Just to back you up on this; Facebook absolutely do not store records of Facebook Chat sessions.

If this is the case then I will go on to use the profile ID of one of the accounts in the conversation, in a keyword search that will hopefully reveal the location of more artefacts or any missing fragments of the dummy conversation.

Although this is a good idea in theory, in practice it would be unworkable. Facebook IDs consist of a series of numbers, and performing a keyword search across an entire volume that ID will most likely give you a large amount of false matches.

In terms of how to proceed with your experiment - maybe think about what other services are offered within Facebook, and whether they leave any notable artefacts on the volume.

ReplyQuote
Posted : 14/01/2011 4:40 pm
Pachino
(@pachino)
New Member

Thanks for all your replies, i've since decided to extend my project to include performing the same experiment but using different browsers in an attmpt to see if the chat artefacts change at all as a result.

Dangermous' idea to 'do an experiment with your collaborator and insert chat artefacts onto the device and see if you can determine whether they are legitimate' sounds very interesting and is something that i would like to perform, the hard bit is trying to artificially introduce facebook chat artefacts, i'm not sure where to start tbh, I know that it would probably involve copying the htm file over to the new machine but other than that i'm stumped. Is it possible to somehow save the htm file in a separate folder so that you could write it to another machine later? (I will be using the latest version of encase to perform this experiment so it would have to be possible within that environment.)

ReplyQuote
Posted : 14/01/2011 8:10 pm
Pachino
(@pachino)
New Member

I have just spoken to my tutor about this and he says that i should not use different browsers as it has been agreed that another group will carry out those experiments. Me and my partner have decided to try to recover private messages left behind once they have been opened up and looked at within internet explorer. Do any of you have any idea where these might be or where i can go to find out? Two of us have been searching for journals for at least an hour and half and found nothing but articles regarding chat… yet again /

(please don't 'lmgtfy' me lol)

Thanks pachino

ReplyQuote
Posted : 14/01/2011 9:03 pm
Share: