Expectations of Facebook Data

Written by Amber Schroader

March 8, 2022

As social media continues to rise so does the power of Facebook. If you are not on it personally you are for your business or to connect with people on a hobby. That being part of the Meta universe has become as essential as getting a driver’s license. So, what does this mean in the world of digital investigations? It means there is always a good snippet of data waiting for you that is going to help you get just a little more perspective on an individual’s digital fingerprint.

When approaching a Facebook investigation there are a variety of methods that can be used to be able to capture and review the information. Each method is dependent on how the individual chooses to connect to the platform.

Right now, 1.9 billion daily users access Facebook’s platform, a 6.89% increase year-over-year. https://backlinko.com/

That is a lot of people and a lot of data waiting. When people login via their mobile or desktop which login types leaves the most breadcrumbs that an investigator can pick up? That is the beauty of the cloud in the case of Facebook. The account information is synchronized through both login activities in the cloud, so no single login method produces a higher amount of data when it comes to the investigation. What the different login methods will do is produce different spare keys that can gain access to the account.

Smartphone Access

When acquiring a smartphone there are a variety of methods from logical, physical, and even triage acquisitions that allow you to capture data. However, there is a big link between seeing this data and access to the file system of the device.

File system access can be blocked with certain types of acquisitions. For example, a typical ADB backup acquisition does not gain access into the file system. You are typically required to get root level access to be able to see that file system data.

Here is an example of an Android device with root and one with ADB both with Facebook installed.

When we look at iOS the access is a little different. The file system has always been limited with Apple devices unless you do a physical image which is limited to tools like Graykey which is limited to government or law enforcement use only or doing a Jailbreak that you can see explained in a past article. Either method requires extra steps in the acquisition stage to get the details of the App.

With iOS you can get a lot of App details with a simple method change with doing an encrypted backup with a known password. This allows a lower level of access than what you would have with a typical backup and access to additional data.

Here is an example of a typical non-encrypted backup acquisition vs an encrypted backup acquisition with a device that has the Facebook App.

Now that you can see that you need to be mindful of the methods of acquisition to get the best possible local data from the device it is also important to look at two other data sources when it comes to Facebook.

Cloud Access

Cloud access is when the credentials for an account are used to login to their account via a forensic tool and download and capture that information. Either way it is always recommended that you have the appropriate legal rights to access this data with a consent from the user.

To access this information the Free version of the E3 Forensic Platform allows you to use the cloud capture capabilities for Facebook. You can enter the details manually as seen below:

Or the other option is if you are working with an acquired device, you can capture the Authentication Data and open that to see the valuable cloud keys that exist on the device.

With either method you will get a portion of the Facebook data that exists on the cloud servers associated with the account.

Data found with cloud collection

Data Type

Includes

Profile Information

General Profile Information

Education

Work Experience

Friends

Friends

News Feed

News Feed

Attachments/News Feed

Notifications

Notifications

Conversations

Conversation List

Conversations

Attachments/Conversations

Picture Albums

Picture Album List

Picture Albums

 

Compliance Archive

After seeing what can be captured with cloud access you might thing you have all the possible data, but there is where you are wrong. The final method for capture is done through a Compliance Archive. This method allows the collection of data with consent through Facebook itself and the processing of that data in your forensic tool.

To request a compliance archive you must have access and consent to the account in question. You will do the following steps to request the archive.

STEP 1. Security Settings

Step 2. Download Your Information

Step 3. Add as New Evidence

Once you have requested the archive it can take a few days for the archive to be generated. Once you have the archive you can add it into your tool for review.

After all of these different collection methods the big question for any investigator is which method captures the most data?

Facebook Data from

Device App

Facebook Data from

Cloud

Facebook Data from Compliance Archive

Android:

Current User Info

Raw Settings

Contacts

Conversations

Recovered Conversations

 

Facebook Messenger:

Current User Info

Raw Settings

Contacts

Conversations

Recovered Conversations

 

 

 

Profile Information Friends News Feed Notifications Conversations Picture Albums (including actual pictures)

Saved items and collections

Voting locations and reminders

Messages

Posts

Polls

Events

Facebook Gaming

Your Places

Facebook Payments

Facebook Marketplace

Comments and reactions

Stories

Bug Bounty

Short Videos

Volunteering

Fundraisers

Groups

Your problem reports

Reviews

Shops questions & answers

Live Audio Rooms

Spark AR

Communities

Other activity

 

Personal Information

Facebook Portal

Profile Information

Journalist Registration

Facebook Assistant

Facebook Accounts Center

Other Personal Information

Friends and Followers

Your topics

Location

Music Recommendations

Search

Facebook News

Notifications

Your interactions on Facebook

Activity Messages

Privacy Checkup

Other Logged Information

Security and login information

Apps and websites off Facebook

News Feed

Preferences

Ads information

iOS:

Facebook (supported for iOS 7.1.2 and lower):

Profile Information

Friends

News Feed

Notifications

Conversations

 

Facebook Messenger: iOS 8 and Higher

Conversations

Conversation list

Current User Info

Contacts

Stories

Recovered Conversations

 

 

 

 

Profile Information Friends News Feed Notifications Conversations Picture Albums (including actual pictures)

 

Conclusion

With the variety of techniques to capture data there is one thing that leaves no doubt and that is you need to use them all. Don’t limit yourself when it comes to how you are collecting or even the tools you are using to collect with. The point of every investigation is to the find the truth in the data and you can’t do that if you don’t have all the data. 

Forensic-Impact Articles

Empowering Small Businesses: The Significance of Data Governance

Empowering Small Businesses: The Significance of Data Governance

Guest Blog Post In today's digitally driven world, data is the lifeblood of businesses, regardless of their size. Small businesses, in particular, stand to gain significantly from harnessing the power of data. This article from Paraben Corporation delves into the...

Strengthening Your Career In Digital Investigations

Strengthening Your Career In Digital Investigations

Transcript Hi there, and welcome to another installment of forensic impact. I'm Amber Schroader, and this week I am sharing with you information about strengthening your career in digital investigations. This was a topic conversation that I had with one of the blog...

2023 Review 2024 Predictions

2023 Review 2024 Predictions

Transcript Welcome to the first blog post of 2024 of Forensic impact. I'm Amber Schroader. I'm the one who maintains this blog. It's one of those that I have gone up and down about getting stuff written because there's always piles of research that you can see...