As social media continues to rise so does the power of Facebook. If you are not on it personally you are for your business or to connect with people on a hobby. That being part of the Meta universe has become as essential as getting a driver’s license. So, what does this mean in the world of digital investigations? It means there is always a good snippet of data waiting for you that is going to help you get just a little more perspective on an individual’s digital fingerprint.
When approaching a Facebook investigation there are a variety of methods that can be used to be able to capture and review the information. Each method is dependent on how the individual chooses to connect to the platform.
Right now, 1.9 billion daily users access Facebook’s platform, a 6.89% increase year-over-year. https://backlinko.com/
That is a lot of people and a lot of data waiting. When people login via their mobile or desktop which login types leaves the most breadcrumbs that an investigator can pick up? That is the beauty of the cloud in the case of Facebook. The account information is synchronized through both login activities in the cloud, so no single login method produces a higher amount of data when it comes to the investigation. What the different login methods will do is produce different spare keys that can gain access to the account.
Smartphone Access
When acquiring a smartphone there are a variety of methods from logical, physical, and even triage acquisitions that allow you to capture data. However, there is a big link between seeing this data and access to the file system of the device.
File system access can be blocked with certain types of acquisitions. For example, a typical ADB backup acquisition does not gain access into the file system. You are typically required to get root level access to be able to see that file system data.
Here is an example of an Android device with root and one with ADB both with Facebook installed.
When we look at iOS the access is a little different. The file system has always been limited with Apple devices unless you do a physical image which is limited to tools like Graykey which is limited to government or law enforcement use only or doing a Jailbreak that you can see explained in a past article. Either method requires extra steps in the acquisition stage to get the details of the App.
With iOS you can get a lot of App details with a simple method change with doing an encrypted backup with a known password. This allows a lower level of access than what you would have with a typical backup and access to additional data.
Here is an example of a typical non-encrypted backup acquisition vs an encrypted backup acquisition with a device that has the Facebook App.
Now that you can see that you need to be mindful of the methods of acquisition to get the best possible local data from the device it is also important to look at two other data sources when it comes to Facebook.
Cloud Access
Cloud access is when the credentials for an account are used to login to their account via a forensic tool and download and capture that information. Either way it is always recommended that you have the appropriate legal rights to access this data with a consent from the user.
To access this information the Free version of the E3 Forensic Platform allows you to use the cloud capture capabilities for Facebook. You can enter the details manually as seen below:
Or the other option is if you are working with an acquired device, you can capture the Authentication Data and open that to see the valuable cloud keys that exist on the device.
With either method you will get a portion of the Facebook data that exists on the cloud servers associated with the account.
Data found with cloud collection
|
Data Type |
Includes |
|
Profile Information |
General Profile Information Education Work Experience |
|
Friends |
Friends |
|
News Feed |
News Feed Attachments/News Feed |
|
Notifications |
Notifications |
|
Conversations |
Conversation List Conversations Attachments/Conversations |
|
Picture Albums |
Picture Album List Picture Albums |
Compliance Archive
After seeing what can be captured with cloud access you might thing you have all the possible data, but there is where you are wrong. The final method for capture is done through a Compliance Archive. This method allows the collection of data with consent through Facebook itself and the processing of that data in your forensic tool.
To request a compliance archive you must have access and consent to the account in question. You will do the following steps to request the archive.
STEP 1. Security Settings
Step 2. Download Your Information
Step 3. Add as New Evidence
Once you have requested the archive it can take a few days for the archive to be generated. Once you have the archive you can add it into your tool for review.
After all of these different collection methods the big question for any investigator is which method captures the most data?
|
Facebook Data from Device App |
Facebook Data from Cloud |
Facebook Data from Compliance Archive |
|
Android: Current User Info Raw Settings Contacts Conversations Recovered Conversations
Facebook Messenger: Current User Info Raw Settings Contacts Conversations Recovered Conversations
|
Profile Information Friends News Feed Notifications Conversations Picture Albums (including actual pictures) |
Saved items and collections Voting locations and reminders Messages Posts Polls Events Facebook Gaming Your Places Facebook Payments Facebook Marketplace Comments and reactions Stories Bug Bounty Short Videos Volunteering Fundraisers Groups Your problem reports Reviews Shops questions & answers Live Audio Rooms Spark AR Communities Other activity
Personal Information Facebook Portal Profile Information Journalist Registration Facebook Assistant Facebook Accounts Center Other Personal Information Friends and Followers Your topics Location Music Recommendations Search Facebook News Notifications Your interactions on Facebook Activity Messages Privacy Checkup Other Logged Information Security and login information Apps and websites off Facebook News Feed Preferences Ads information |
|
iOS: Facebook (supported for iOS 7.1.2 and lower): Profile Information Friends News Feed Notifications Conversations
Facebook Messenger: iOS 8 and Higher Conversations Conversation list Current User Info Contacts Stories Recovered Conversations
|
Profile Information Friends News Feed Notifications Conversations Picture Albums (including actual pictures) |
Conclusion
With the variety of techniques to capture data there is one thing that leaves no doubt and that is you need to use them all. Don’t limit yourself when it comes to how you are collecting or even the tools you are using to collect with. The point of every investigation is to the find the truth in the data and you can’t do that if you don’t have all the data.
Forensic-Impact Articles
iOS 17 Forensic Impacts
We are in the time of year when our pumpkin spice cravings start crawling to the surface and we see some big releases in the world of mobile firmware. It is a good time to validate and check your tools to see what data you gained and lost with the firmware change....
How Leadership Can Impact Cybersecurity
Written by: Riley Anne JohnsCybersecurity is a major priority nowadays for business leaders, as no organization is immune to cyber threats. For example, according to Forbes, cyberattackers made roughly $456.8 million in ransomware profits in 2022 alone, as most...
Different Android Flavors and Forensic Processing
Android, developed by Google, is one of the most popular mobile operating systems worldwide, powering millions of devices. What you might not realize is that there are different tiers of Android OS that are available for millions of devices. We will explore the three...
