®

How Important are Facebook Artifacts?

In March 2013, Facebook reportedly had just over 1 billion users worldwide.
Founded in February 2004, it can be considered one of the grandfathers of
social networking. Nearly ten years later and even with hundreds of other social
networking sites out there, Facebook is still a very popular social medium.

With increased popularity comes the potential that Facebook will be used in
a crime or at least as a secondary source of evidence providing information
about the crime. As a social network, the likelihood of a suspect using
Facebook as a communications medium to discuss an incident can be quite
high. This whitepaper discusses the common Facebook artifacts that can
be potential sources of vital evidence key to an investigation.

After reading this whitepaper you will be able to:

• Identify the common artifacts left behind when forensically examining Facebook activity
• Use digital forensics software to analyze and recover Facebook artifacts such as
Chat, Messages, Wall Posts/Comments, Pictures, and URLs
• Understand the types of searches IEF performs and how to best use that information in your investigation
As a forensic investigator, Facebook can be used as an online resource when conducting an investigation and can be a wealth of
information. It can provide a glimpse into a person’s life, provide a mechanism to obtain photos of potential subjects, friends & family.
Timeline comments can provide geographical information of where a particular person was on a specific date and can reveal the identity
of close friends and other details not readily apparent Additionally, with Facebook applications available on most mobile devices, further
location data is available with GPS, making Facebook artifacts even more valuable to the investigator.

As an example, in a theft/stolen property case Facebook was used to get a complete family history and an idea of
how the person lived by looking at photos and connecting family members together. Facebook provided the links that
allowed for looking up residence information based on connections and family ties. It also provided phone numbers
that were listed in comments and later tied to fraudulent ads on Craigslist.

Facebook can also provide a wealth of information as a forensics artifact when conducting host-based forensics. In the past
few years there have been several high-profile cases that involved Facebook artifacts even though the crime was not
associated with traditional ‘computer-related’ offenses. For example, here is a recent case where Facebook messages
were found on a victim’s computer (and later on the suspect’s computer) and used to identify a suspect in a murder case.

“Riverside County sheriff’s Investigator Tony Pelato, a computer forensics expert, said he found Facebook chat
messages in Guzman’s computer between Santhiago and Leal, inviting Leal to buy some liquor and meet her at a
park near Roanoke Street where Leal was killed. The chat messages were written minutes before the shooting.”
Read more

Or this one:

“According to state police, detectives interviewed a young man named Bryan Butterfield a day after Cable was
reported missing. Butterfield told police that someone had created a phony Facebook account in his name, and police
traced it to Dube’s parents’ house in Orono.

Cable was frequently contacted by the fake Butterfield and agreed to meet with him at the end of her road to get
some marijuana the night she went missing, according to the state police affidavit.
Social media’s role in Nichole’s disappearance and death was a wakeup call for students, many of whom have
become paranoid about online contacts, said Pattershall, Cable’s friend.”
Read more

Magnet Forensics - How To Uncover The Covered Tracks - 2

Generally there are six specific categories of artifacts that can be individually identified when examining a computer’s hard disk:

1. Facebook Chat

This artifact is most commonly found in memory as JavaScript Object Notation (JSON) text in a running
computer and/or in the pagefile.sys & hiberfil.sys file(s).

2. Facebook Messages

Facebook Chat and Messages are now the same artifact, but in older versions of Facebook these were two
different artifacts. This artifact is most commonly found in memory of a running computer and/or in the
pagefile.sys and hiberfil.sys file(s).

3. Facebook Wall Post/Status Update/Comments

HTML that is carved from temporary internet files/web cache and memory.

Magnet Forensics - How To Uncover The Covered Tracks - 3

 4. Facebook Webpage Fragment

A fragment of HTML that is carved from temporary internet files/web cache and memory.

5. Facebook Pictures

Facebook pictures have a specific filename pattern and are found in temporary internet files/web cache. The
filename contains three sets of numbers like the following:

‘1221785571_1221785571_10150672801465915_n.jpg’

The second set of numbers can indicate the Facebook user ID the photo belongs to and it can be queried
through Facebook’s ‘graph’ API here: https://developers.facebook.com/tools/explorer

6. Facebook URLs

A URL in any web related (browser) artifact that references Facebook URLs. These artifacts commonly
reference other Facebook users or specific Facebook activity.
“https://www.facebook.com/photo.php?fbid=
201526933901245715&set=at.10150672801465915.448027.507140714.552175374.1221785571&type=1& theater”

201526933901245715 is the photo ID

10150672801465915 is the album ID
1221785571 is the user ID

Viewed photos will appear in the cache file with the name:
‘1221785571_1221785571_10150672801465915_n.jpg’

Viewing messages for profile currently being used:

http://www.facebook.com/messages/joey.flowes

Now that we’ve discussed the kinds of artifacts you are likely to encounter when examining evidence looking for
Facebook activity or generally searching for any Facebook related activity, let’s look at how you can recover them.

Magnet Forensics - How To Uncover The Covered Tracks - 4

Recovering Facebook Artifacts
Facebook artifacts can be one of those artifacts that may not seem to apply to your specific case, but suddenly it gets
thrust into the forefront of your investigation due to a conversation, wall post, association or other link made solely
through the suspect/victim’s Facebook account. Like general Internet history/activity, it’s one of those categories that
you cannot afford to disregard.

There are tools available to assist in the recovery of Facebook artifacts, including Magnet Forensics’ Internet
Evidence Finder (IEF). IEF includes support for Facebook under the social media artifact category or the Android/iOS
artifact categories for mobile images.

For mobile devices both Android and iOS Facebook artifacts are supported and can provide investigators a wealth of information
including the typical artifacts listed above as well as potential GPS coordinates from where a message was sent.

Finding & reviewing these types of artifacts is extremely simple when using IEF. There are four search types that you
can use when looking for Facebook artifacts:

Magnet Forensics - How To Uncover The Covered Tracks - 5

1. Full Search
This is the default search type when using IEF to analyze NTFS, FATx, HFS+ and EXTx file systems. This
search type allows IEF to parse the file system of each volume and identify all the various objects (files, folders
& unallocated space) and search them all. On NTFS partition, it also individually identifies file system objects
such as the $MFT and $Logfile for targeted searching.

Full search is also available for any Android or iOS physical image acquired by the investigator.

2. Quick Search

This search type causes IEF to search specific file system objects and common files and folder locations that
normally contain Internet-related artifacts. For example, this type of search would target the default locations
for supported browser histories, but would not check every single file/folder.

3. Sector Search
This is the default search type when examining a drive/image that contains an unknown file system. This allows
IEF to search each sector for known artifacts even if the file system itself cannot be read or interpreted.

Magnet Forensics - How To Uncover The Covered Tracks - 6

 4. Custom Search

The custom search type allows the user to specify which areas of the volume to search by
selecting/deselecting the various options.

When looking for Facebook artifacts using IEF, the recommended search option is the “Full Search” since it will look
everywhere—including unallocated space for deleted Facebook artifacts. As long as the browser history was not moved to
a non-standard location, you can also use the “Quick search” option. The “Custom search” option would also work as long
as you chose to search all files or common areas/folder locations. Once IEF has completed the artifact search, Facebook
artifacts are individually identified and categorized separately from common web browsing artifacts.

Magnet Forensics - How To Uncover The Covered Tracks - 7

You can then review each Facebook artifact category separately by clicking on the respective artifact subcategory
and viewing the details in the table view.

Each found artifact will have a file (if the artifact was found in a specific file) or physical offset (if the artifact was found
in unallocated or when using the sector search option) displayed in the lower details pane so you can find the same
artifact by using other 3rd party tools for validation and additional research.

The example above shows that IEF identified the Facebook Chat message “do you like fun?” Looking at the details of the artifact,
the source and physical location of the evidence are identified as Sector 11982396 and is found in unallocated space on an NTFS
image. Taking that information and verifying the details in Disk View using EnCase produces the same result.

Magnet Forensics - How To Uncover The Covered Tracks - 8

While IEF is a reliable tool for forensic investigators, it is always important to verify any findings using multiple tools
and methods to confirm results.

Magnet Forensics - How To Uncover The Covered Tracks - 9

Facebook artifacts leave a wealth of information for investigators.
Whether the investigation is purely focused around an incident occurring
on Facebook or it is supporting a much larger case involving artifacts from
several sources, searching for Facebook artifacts should be done even if
there is a small potential of relevance. Open source information provides
details about the suspect and their known associations and host or mobile
based artifacts reveal conversations, posts, and location data that can be
vital to an investigation. Investigators will continue to see an increase of
social media related evidence in their cases and Facebook remains one
of the largest, and most used social media services available.

For more information call us at 519-342-0195

or email sales@magnetforensics.com
© 2014 Magnet Forensics Inc. All rights reserved. Magnet Forensics®, Internet Evidence Finder™ and related trademarks, names
and logos are the property of Magnet Forensics and are registered and/or used in the U.S. and countries around the world.
All other marks and brands may be claimed as the property of their respective owners. ®