The analysis process mainly uses various physical and logical acquisition tools for memory forensics, as well as Internet evidence finding tools for web browser cache searching or rebuilding. After locating the evidence of a Facebook activity, its footprints could be examined by referring to the response from corresponding Facebook communication. The same activity may be tested several times with different contents to increase the accuracy.
Throughout the research, there are some significant findings. Facebook core objects could be located in different memory units including RAM, browser cache, pagefiles, unallocated clusters and system restore point of a computer. More importantly, these findings are matched with those in virtual machines and the corresponding snapshot images. Although separate sets of results are obtained from iPhone or Android phone due to the difference between Facebook App and a standard web browser, evidence could still be located in the file system using mobile device forensics tools.
This is an abstract from the "Facebook Forensics" paper published by Valkyrie-X Security Research Group on July 5th. You can view it on Google Docs or download it in PDF format.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.