Facebook forensics

URL Signatures

When a user views a JPEG or PNG from Facebook (from a profile, album, etc.) the URLs tend to have "fbcdn" or "facebook" in the hostname. Profile pictures tend to contain "profile" in the hostname as well. To that subset of URLs you can apply all of these regular expressions to capture the user ID who owned that particular image. The a, s, n, and q characters in the URL refer to the size of the image. There are a few main varieties of image URLs, and these three expressions should help you parse them.

• /\d+(\d+)\d+_[qs]\. q is small, s is large
• [as](\d+)\d+\d+\. s is small, a is large
• \d+\d+(\d+)\d+\d+_[asnq]\. ''s is small, a is medium, n is large, q is square'

See also

Residual Data

• Facebook Forensics, SANS Computer Forensics and Incident Response Blog Entry, June 11, 2009. A few musings and links (that are reported above). Mostly with tracking photos to facebook.
• Facebook Memory Forensics, SANS Computer Forensics Incident Response Log, Nov. 20, 2009. Discussion about facebook details left in memory.
• Facebook Chat Forensics, March 20, 2009, details of how to recover chat from the JavaScript and JSON entries.
• Facebook Forensics, Valkyrie-X Security Research Group, July 5, 2011. Notes the groups successes and failures in recovering Facebook artifacts from RAM and storage.

Network Forensics

• Thoughts about the impact of Facebook's SSL decision on network forensics, by Netresec, January 30, 2011

Tools

• Facebook Forensic Toolkit eDiscovery toolkit to identify and clone full profiles; including wall posts, private messages, uploaded photos/tags, group details, graphically illustrate friend links, and generate expert reports.
• Belkasoft Evidence Center allows for carving Facebook data such as chats, wall posts and photos from Live RAM dumps, hibernation and pagefiles.