By Amber Schroader
As social media continues to rise so does the power of Facebook. If you are not on it personally you are for your business or to connect with people on a hobby. That being part of the Meta universe has become as essential as getting a driver’s license. So, what does this mean in the world of digital investigations? It means there is always a good snippet of data waiting for you that is going to help you get just a little more perspective on an individual’s digital fingerprint.
When approaching a Facebook investigation there are a variety of methods that can be used to be able to capture and review the information. Each method is dependent on how the individual chooses to connect to the platform.
Right now, 1.9 billion daily users access Facebook’s platform, a 6.89% increase year-over-year
That is a lot of people and a lot of data waiting. When people login via their mobile or desktop which login types leaves the most breadcrumbs that an investigator can pick up? That is the beauty of the cloud in the case of Facebook. The account information is synchronized through both login activities in the cloud, so no single login method produces a higher amount of data when it comes to the investigation. What the different login methods will do is produce different spare keys that can gain access to the account.
When acquiring a smartphone there are a variety of methods from logical, physical, and even triage acquisitions that allow you to capture data. However, there is a big link between seeing this data and access to the file system of the device.
File system access can be blocked with certain types of acquisitions. For example, a typical ADB backup acquisition does not gain access into the file system. You are typically required to get root level access to be able to see that file system data.
Here is an example of an Android device with root and one with ADB both with Facebook installed.
When we look at iOS the access is a little different. The file system has always been limited with Apple devices unless you do a physical image which is limited to tools like Graykey which is limited to government or law enforcement use only or doing a Jailbreak that you can see explained in a past article. Either method requires extra steps in the acquisition stage to get the details of the App.
With iOS you can get a lot of App details with a simple method change with doing an encrypted backup with a known password. This allows a lower level of access than what you would have with a typical backup and access to additional data.
Here is an example of a typical non-encrypted backup acquisition vs an encrypted backup acquisition with a device that has the Facebook App.
Now that you can see that you need to be mindful of the methods of acquisition to get the best possible local data from the device it is also important to look at two other data sources when it comes to Facebook.
Cloud access is when the credentials for an account are used to login to their account via a forensic tool and download and capture that information. Either way it is always recommended that you have the appropriate legal rights to access this data with a consent from the user.
To access this information the Free version of the E3 Forensic Platform allows you to use the cloud capture capabilities for Facebook. You can enter the details manually as seen below:
Or the other option is if you are working with an acquired device, you can capture the Authentication Data and open that to see the valuable cloud keys that exist on the device.
With either method you will get a portion of the Facebook data that exists on the cloud servers associated with the account.
Data found with cloud collection
After seeing what can be captured with cloud access you might thing you have all the possible data, but there is where you are wrong. The final method for capture is done through a Compliance Archive. This method allows the collection of data with consent through Facebook itself and the processing of that data in your forensic tool.
What is a compliance archive?
This is a collection of data that is provided based on a security request from the end user. This data represents a large scope of time typically from the point of the creation of the account to the point of the request.
To request a compliance archive you must have access and consent to the account in question. You will do the following steps to request the archive.
STEPS 1. Security Settings
Step 2. Download Your Information
Step 3. Add as New Evidence
Once you have requested the archive it can take a few days for the archive to be generated. Once you have the archive you can add it into your tool for review.
After all of these different collection methods the big question for any investigator is which method captures the most data?
|Facebook Data from Device App||Facebook Data from Cloud||Facebook Data from|
Current User Info
Current User Info
Facebook (supported for iOS 7.1.2 and lower):
Facebook Messenger: iOS
Current User Info
|Profile Information Friends News Feed Notifications Conversations Picture Albums (Including Actual Pictures)|
Profile Information Friends News Feed Notifications Conversations Picture Albums (Including Actual Pictures)
|Saved items and collections|
Voting locations and reminders
Comments and Reactions
Your problem reports
Shops questions & answers
Live Audio Rooms
Facebook Accounts Center
Other Personal Information
Friends and Followers
Your interactions on Facebook
Other Logged Information
Security and login Information
Apps and websites off Facebook
With the variety of techniques to capture data there is one thing that leaves no doubt and that is you need to use them all. Don’t limit yourself when it comes to how you are collecting or even the tools you are using to collect with. The point of every investigation is to the find the truth in the data and you can’t do that if you don’t have all the data.
This article was written by Amber Schroader of Paraben Corporation and originally appeared on the Forensic Impact Blog at this link: https://paraben.com/expectations-of-facebook-data/