Forensic artifacts of Facebook's instant messaging service - IEEE Xplore

6th International Conference on Internet Technology and Secured Transactions, 11-14 December 2011, Abu Dhabi, United Arab Emirates

Forensic artifacts of Facebook‟s instant messaging service Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington Advanced Cyber Forensics Research Laboratory, College of Information Technology Zayed University United Arab Emirates {m80000952,m80000938,ibrahim.baggili,andrew.marrington}@zu.ac.ae around the world [5], and around 1.7 million users in the United Arab Emirates itself [6]. One of the features that Facebook provides is the chat function; a web-based instant messaging tool. Facebook‟s instant messaging service (Facebook Chat) provides users the ability to communicate by sending instant messages to one another. These instant messages can be of great importance to the digital forensic examiner as they can be of great evidentiary value. In fact there are many cases where Facebook Chat messages, have provided useful evidence. However, the extraction of instant messages via hard drive examination is known to be a difficult task [7]. This is because many instant messaging tools do not store the content of messages on the hard disk drive. Instead, the messages are often stored in RAM only, and thus only fragments of very recent conversations may be recoverable, and even then, only with great difficulty.

Abstract— This paper highlights the importance of Facebook’s instant messaging service (Facebook Chat) as a potential source of evidence in an investigation. The paper discusses the process of recovering and reconstructing artifacts left by the use of Facebook Chat on a computer’s hard disk. The paper describes experiments in which Facebook Chat conversations in Latin and Arabic character sets were conducted using three major web browsers, and then forensically retrieved. The results highlight how Facebook Chat artifacts of Arabic conversations can be difficult to locate with keyword search functions. The paper describes appropriate steps to overcome these difficulties. (Abstract) Keywords-Facebook forensics, artifacts, Unicode (key words)

I.

chat

analysis,

Facebook

INTRODUCTION

In recent years, social networking websites have become pervasive in our society, especially among the young. Millions of people around the globe use these websites to socialize online with friends, family, co-workers, or even strangers. They share information, post pictures, and communicate through chat applications built into these websites. Many people post large amounts of private information on social networking websites, which could be misused by malicious subscribers. The behavior of even privacy-conscious users may expose far more of their personal information than they had intended [1]. By the sheer volume and ubiquity of social networking websites, we may assume that most of their subscribers predominantly use them for innocent activities. Users can subscribe to these websites regardless of their age, gender, interests, or intentions. Essentially anybody can subscribe to these social networking websites, with no more than an easily ignored “Terms of Use” page stopping them from signing up. The ease of access for both children and sexual predators can lead to these websites becoming a vehicle for online predation on underage users. Additionally, social networking websites are yet another avenue for identity theft [2], online scams [3], cyber-bullying [4], and other illegal or antisocial behavior. Social networking websites are clearly relevant to digital investigations, and the recovery of evidence from the use of such sites is clearly important.

The purpose of this paper is to understand the Facebook Chat, and the recovery and reconstruction of artifacts left by the use of the Facebook Chat when undertaking a forensic analysis of a hard-disk drive. Facebook can be accessed through various types of devices including computers, mobile phones, tablets, and “smart” televisions. However, this paper does not examine the possibility of extracting instant messaging artifacts from small scale devices or from volatile memory.

Facebook is one of the most popular social networking websites. Facebook has more than 500 million active users

Instant Messenger Contacts are stored in contact lists in instant messenger programs. Depending on the instant

978-1-908320-00-1/11/$26.00 ©2011 IEEE

II.

RELATED WORK

Previous related work in the area of the forensic recovery and analysis of instant messaging artifacts includes both scientific literature and software tools intended to assist digital investigators. Instant messaging did not, of course, start with Facebook Chat. Standalone instant messenger chat programs predate Facebook and remain popular, with a large variety of clients and protocols in common use. With such a variety in instant messenger clients, the forensic artifacts which can be located and retrieved by analysts also vary [7]. There is also difference in the basic style of forensic analysis, as instant messaging forensic artifacts can be retrieved both from volatile memory and from the hard disk. This section briefly discusses some of the related work in instant messaging forensic artifact recovery and analysis.

771

messaging solution in use, contact lists can be stored both on the servers of the instant messenger program‟s provider (e.g. Yahoo, AOL, Skype) and on the local hard disk. Local artifacts of contact lists can be useful in investigations of online predation, where the suspect may claim that his/her IM account has been taken over by a third party. As observed by Mike Dickson, finding evidence (in the form of IM contact artifacts) that the suspect‟s computer has been used to contact the victim can help to refute such a claim [8]. Dickson discussed how this evidence can be obtained, with varying degrees of success, in a dead analysis of a suspect‟s hard disk with respect to MSN Messenger 7.5 [8], Yahoo Messenger 7.0 [9], AOL Instant Messenger 5.5 [10], and Trillian basic 3.x [11]. Wouter van Dongen expanded upon Dickson‟s work with MSN/Windows Messenger, finding more instant messaging artifacts with Windows Live Messenger 8.0 [12] using a file signature and known file structure-based approach. Using a similar approach, van Dongen also described the recovery of various chat artifacts including contacts left behind by Pidgin Messenger 2.0 [13]. Examining volatile memory dumps rather than acquired hard disk images, Gao and Cao recovered account and contact information from QQ 8.0 [14]. Simon and Slay recovered contact artifacts from Skype both via volatile memory analysis (of a virtual machine) [15] and dead analysis, and observed that the latter was more reliable [16]. Kiley et al. examined several web-based instant messaging clients, AIM Express, Google Talk, Meebo and E-buddy, and were able to retrieve contact lists but had more limited success retrieving the contents of IMs [17]. With respect to Facebook Chat, the “contact list” is the suspect‟s Facebook friends list. However, the suspect‟s Facebook friends at the time of the investigation may not include contacts who have been “defriended” since the time of the crime. Further, a suspect may claim that their Facebook account has been taken over by a third party. Therefore, forensic contact artifacts may be important for cases involving Facebook Chat.

extracts the entire bulk of these messages and puts them into a .CSV file. The examiner must examine these chunks of information and manually extract and organize useful parts of the instant messaging conversation. The second tool is Facebook Chat Parser (V1.4), which is an EnScript distributed by Guidance Software and must be implemented and run within the EnCase Forensic application. However, our own experiments with Facebook Chat Parser failed because we could not resolve the numerous error messages it produced. III.

METHODOLOGY

This section describes the tests we conducted with Facebook Chat. We wanted to work with realistic data which would be similar to that found in an actual investigation. In a real investigation, suspects may use Facebook Chat through different browsers and conduct IM conversations in multiple languages. Our experiment is designed accordingly. A. Test Environment In order to perform the test, we used a Dell Precision PWS 490 workstation with 3.25 GB RAM, Windows XP Professional Service Pack 2 and a 300 GB hard-disk formatted with NTFS. This computer was our “suspect workstation”. The test was conducted using three different web browsers, Internet Explorer version 8.0.6001.18702, Mozilla Firefox version 3.6.11, and Google Chrome version 7.0.517.41. We used the three different browsers to discover how each browser caches or stores instant messages exchanged during a chat session on Facebook Chat, and the hard disk locations where these messages were stored. For forensic analysis, we used EnCase Forensic version 6.8.1.8, and we employed a FastBlock 2 write blocker to prevent modification of the suspect workstation‟s hard disk during image acquisition. B. Experiment We created two fictional Facebook users and a set of unique strings which would be used as the instant messaging conversations and would be easy to identify during the examination process. Since we were using three different web browsers on the same computer, we created three sets of unique strings. Each set of unique strings would be used on a single web browser. This decision was taken to ensure that chat messages were unique to each web browser, and would not be confused with other chat messages sent using Facebook Chat used through other web browsers. Table 1 lists the unique string sets we used. Each string was used individually in a different instant message. Notice that we used strings in both the Latin and Arabic character sets. This was to test how strings in different languages used during a Facebook Chat session were stored and whether they could be detected using a keyword string search during a postmortem forensic examination of the hard disk. In real cases people involved may use different languages during a Facebook Chat conversation, and we wanted to test artifact recovery in such a scenario.

The content of communications via instant messaging tools, the instant messages themselves, are also of relevance to digital investigations. In many cases, suspects have not disabled their instant messenger client‟s logging functions, and consequently, their “conversations” may be located on the hard disk, whether in plain-text or encoded or encrypted formats [7]. The exact location and format of these logs will vary between every instant messenger client. In cases where log functions have been disabled, artifacts may potentially be found in volatile memory or in swap files on the computer‟s hard disk [18], although full conversations are unlikely to be recovered. Facebook Chat differs from other instant messaging services in that it is primarily a web-based chat service provided through the Facebook website. Facebook Chat artifacts can therefore be considered to be a subset of web artifacts more generally. We are aware of two publicly available tools which may assist an investigator in the recovery of Facebook Chat artifacts. The first tool is Internet Evidence Finder (IEF) which was developed to extract chat messages from both web-based and application-based instant messaging. IEF offers a function to extract Facebook Chat messages. It searches for sent and received Facebook Chat message artifacts in live memory, virtual memory swap files, and in unallocated space. It then

After conducting the conversations on each web browser, we logged out of Facebook, and acquired a bit-stream image of the test hard disk using EnCase version 6.8.1.8 and FastBloc 2

772

write blocker. We verified the acquired image and started our examination. As a first step, we built a keyword list that included the unique keyword sets used in the conversations (listed in Table 1). We selected the keywords used on Internet Explorer and ran a string search on the Temporary Internet Files directory. This step was to determine whether Facebook Chat‟s sessions were cached and stored in this area. After getting the results from this search, we selected all the keywords and ran another search on the entire acquired image of the test hard disk. This step was to determine where all chat messages conducted through the three web browsers were stored, and whether remnants of Facebook Chat sessions could be found on locations on the test hard disk other than the Temporary Internet Files folder. The results of this test are discussed in the next section. TABLE I.

UNIQUE KEYWORDS USED IN THE EXPERIMENT First Set (Internet Explorer) superkali ‫بلقعا‬ konnichiwa ‫هيابنانصطاد‬ wakarimasen ‫صراعالجبابرة‬ Second Set (Mozilla Firefox) ittadaikemas ‫البعلبكي‬ wakarimashta ‫سنديانت‬ sempai ‫سنقور‬ Third Set (Google Chrome) chotto matte ‫سمرقند‬ gudasai ‫معشوشب‬ gomennasai ‫دعويقت‬

IV.

Figure 1. Facebook Chat message files. This figure illustrates how instant messaging conversations conducted on Facebook are constructed and stored on a hard disk.

The search session on the Latin character set keywords on the entire acquired image of the test hard disk resulted in an average of 20 hits for each keyword. However, the complete chat scripts, including chat messages and other information were found in the $LogFile, $MFT, and the previously mentioned text files stored in the Temporary Internet Files directory. Also, for one keyword (“konnichiwa”) the full chat script was found in the CatRoot file (C\WINDOWS\system32\CatRoot). Remnants of the messages were also found in pagefile.sys and unallocated clusters.

RESULTS

This section discusses the results of our experiment for each set of keywords. We describe the location of the Facebook Chat artifacts left by each browser. We also discuss the different procedures necessary to retrieve Arabic Facebook Chat artifacts.

As for the Arabic keywords, both searches resulted in zero hits for all keywords. However, by manually examining the p_[number string]=[number][1].txt files in the Temporary Internet Files directory we found three files that contained Unicode escape character sequences where the actual chat messages should have been. In order to check whether these Unicode escape character sequences represented the Arabic keywords we used during the Facebook chat communication, we took each Arabic keyword and converted it into Unicode escape character sequences (see Table 2). Then, we compared the Unicode escape sequences of the Arabic keywords against the Unicode escape sequences in the text files. Each string had a match in one of the text files. Figure 2 shows the chat scripts in the three text files and highlights the matching Unicode escape character sequences.

A. First Set – Internet Explorer For the first keywords set, the search session on the Temporary Internet Files directory resulted in one search hit for each Latin character set keyword. The chat message containing each keyword was stored in an individual text file with a file named according to the pattern p_[number string]=[number][1].txt such as “p_100000480604332=2[1].txt” (see Figure 1). Examining the contents of the text files showed that each contained a script which had a single chat message within it. It also included important information related to the chat message such as a unique message ID, the sender‟s name and profile number, the recipient‟s name and profile number, and the date and time. All files containing the chat messages were constructed in the same format as shown in Figure 1. The script in these text files is in JavaScript Object Notation (JSON), which is a text-based human-readable script. The time in these scripts was in UNIX format and could be decoded to get the actual time of the chat messages.

After confirming that the Unicode sequences in the text files were in fact the Arabic keywords we used in the Facebook chat communication, we ran another string search on the acquired image of the test hard disk using the Unicode escape character sequences instead of the Arabic strings. The full script of the chat messages was found in the $MFT, “pagefile.sys”, and the text files in the Temporary Internet Files directory.

773

TABLE II.

ARABIC KEYWORDS AND THE CORRESPONDING UNICODE ESCAPE CHARACTER SEQUENCE.

Arabic Strings ‫بلقعا‬

C. Third Set – Chrome For the third keywords set used on Google Chrome, the search session on the Latin character set keywords resulted in an average of two hits for each keyword. The full format of the chat scripts was found in the file “data_1” which is located in the Chrome browser cache (..\Google\Chrome\User Data\Default\Cache\). The format of messages sent using Chrome was identical to the format of the messages sent using Firefox and Internet Explorer. Remnants of the Facebook Chat sessions were found in the file “Current Session” located in the same directory. The search session did not result in any positive hits on other areas of the hard disk. For the Arabic keywords, the search resulted in zero hits. Again, when manually examining the contents of the file “data_1”, we found three full chat scripts which included Unicode escape character sequences where the text of the instant message should have been. Converting the Arabic keywords to Unicode escape character sequences and comparing them to the sequences found in the chat scripts resulted in a single match for each keyword. This confirmed that the Unicode escape character sequences were in fact the Arabic keywords used during the instant messaging conversation.

Unicode Strings

\u0628\u0644\u0642\u0639\u0627

‫هيابنانصطاد‬

\u0647\u064A\u0627\u0628\u0646\u 0627\u0646\u0635\u0637\u0627\u06 2F

‫صراعالجبابرة‬

\u0635\u0631\u0627\u0639\u0627\u 0644\u062C\u0628\u0627\u0628\u06 31\u0629

V.

DISCUSSION

The results mentioned in the previous section show that instant messages exchanged during a Facebook Chat session in the web browser are cached and stored on the computer‟s hard disk. The locations where these messages are stored vary depending on the web browser used to conduct the communication. In some cases, remnants of the chat sessions are scattered across different parts of the hard disk. However, the full bulk of the chat scripts are usually found in certain locations. Digital forensic examiners can start by looking at these locations before running a search on the entire image of a hard disk, which could significantly reduce the examination time.

Figure 2. The three Facebook Chat messages we found, with the Unicode escape character sequences representing the Arabic keywords used in the test highlighted.

B. Second Set - Firefox For the second keywords set sent via Facebook Chat through Mozilla Firefox, the search session on the Latin character set keywords resulted in an average of five hits for each keyword. The full format of the three chat scripts were found in the “_CACHE_001_” file which is located in a cache directory underneath the Firefox profiles directory (..\Mozilla\Firefox\Profiles\hub4ga09.default\Cache\). The format of the second set of messages recovered for Firefox were identical to the format of the first set recovered for Internet Explorer. Remnants of the chat messages were also found in pagefile.sys and unallocated clusters. As for the Arabic keywords, similar to the first set, the search resulted in zero hits for all keywords. Yet, when manually examining the contents of the “_CACHE_001_” file, we found three full chat messages which included Unicode escape character sequences where we expected to see the text of the instant message. Converting the Arabic keywords to Unicode escape sequences and comparing them to the Unicode escape sequences found in the chat scripts resulted in a match for each keyword. This confirmed that the Unicode escape character sequences were in fact the Arabic keywords used during the instant messaging conversation.

With respect to the differences between browsers, the results also show that when using Internet Explorer for conducting a Facebook Chat communication, more artifacts of the chat session can be found on the hard disk than can be located when using Mozilla Firefox or Google Chrome. This is likely caused by the way Internet Explorer‟s cache operates. Firefox and Chrome appended the Facebook Chat messages to larger files (“_CACHE_001_” and “data_1” respectively), whereas Internet Explorer stored this information in a number of smaller files within the Temporary Internet Files directory. As these files were smaller, they were much more likely to fit within the $MFT. Likewise, the $LogFile is the NTFS journal, and smaller files are more likely to be found within the $LogFile in an investigation. The most likely explanation for the remnants of the messages found in the pagefile.sys file and in unallocated clusters about the disk is that the messages were stored in virtual memory. The file pagefile.sys is the Windows XP virtual memory swap file, and would contain remnants of Facebook Chat messages when memory pages containing those messages were swapped out of RAM to the disk during the system‟s normal operation. It seems likely that the remnants of

774

Facebook Chat messages discovered in the unallocated clusters are the result of the same process – they were contained in pages swapped to the disk, and then when the system was able to reduce the size of the pagefile.sys, the disk clusters in which those message remnants were stored were unallocated. This speculation is based on the normal operation of virtual memory and does not arise from direct observation during the experiment.

start processing the data and extracting the Facebook Chat artifacts. The results would be presented in a well-formatted tabular design that is easy to read and analyze. The tool could also incorporate a function to convert Unicode escape character sequences back into human readable strings. Approximately half of Facebook‟s users access Facebook through a mobile device, such as a smartphone or tablet. According to Facebook, these users are twice as active as users who do not access Facebook through a mobile device [5]. Husain and Sridhar examined three popular instant messaging platforms (AIM, Yahoo and Google Talk) on the Apple iPhone, showing that some IM artifacts left behind on the iPhone could be retrieved [19]. It is clear that expanding the search for Facebook Chat artifacts, and Facebook artifacts more generally, to mobile devices is an important area for future research.

Furthermore, Arabic strings used during Facebook Chat sessions are converted into Unicode escape character sequences when cached and saved on the hard disk. We speculate that this is because the cache files in question are not by default encoded in Unicode. This would prevent getting hits when performing an Arabic string search on an acquired image of a suspect‟s hard disk. Instead, the Arabic keywords for which the investigator wished to search would need to be converted into Unicode escape character sequences prior to the keyword search. Manual conversion of Unicode escape character sequences to readable strings (in Arabic or any other character set) and vice versa is a tedious task. Therefore, in cases where Arabic strings were used in Facebook Chat sessions, extra time and effort would be required on the part of the examiner to find evidence on the suspect‟s hard disk. The fact that Arabic strings used in Facebook Chat sessions are converted to Unicode escape character sequences leads us to predict that other non-Latin character set strings used in Facebook Chat (and possibly any web browser-based IM client) would be treated in the same manner. We note that although Internet Evidence Finder supports Unicode, the version we tested does not actually detect Unicode strings which have been converted into escape character sequences in this fashion. VI.

Moving beyond Facebook, there are many other popular social networking services whose use may leave potentially valuable forensic artifacts, both on computer systems and on mobile devices. Scope remains for work into the forensic artifacts of services such as Twitter, Flickr, and others. VII. CONCLUSION The use of social networking websites like Facebook can leave behind potentially rich sources of digital evidence. The retrieval of various instant messenger artifacts, including contacts and conversations, is also important to many investigations. This paper examined the artifacts left by the use of Facebook Chat, a web-based instant messaging client built into the Facebook website, and highlighted some key points in the extraction and reconstruction of these artifacts. The experiment found that artifacts of Arabic conversations were not found by keyword searches conducted with existing forensics software. Instead, the Arabic keywords had to be transformed into Unicode escape character sequences and those sequences had to be used in the keyword search. It is important that forensic examiners investigating Facebook Chat conversations which may have taken place in languages with non-Latin character sets, such as Arabic, take appropriate steps in order to ensure that they do not miss potentially important artifacts.

FUTURE WORK

There are clear areas for future work in the forensic recovery of Facebook Chat artifacts. Most obviously, we intend to repeat our experiment with non-Latin character sets other than Arabic, to confirm our speculation that the procedure will be the same for all character sets other than those which can be written in the same encoding as the browser‟s cache files. Further, as our results showed that the location of artifacts varied from browser to browser, it is logical to assume that different operating system and browser combinations will also leave Facebook Chat artifacts in different locations. We therefore intend to repeat our experiments examining workstations running several other operating systems, including Windows 7, Mac OS X and popular Linux distributions.

REFERENCES [1]

[2]

Since Facebook Chat scripts have a single format, a tool can be developed to parse these scripts, extract important artifacts, and present them in a well-formatted report. Basically, the digital forensic examiner would first have to carve the hard disk for these scripts. This could be accomplished by specifying a unique header and footer for these scripts and using a digital forensic tool such as EnCase or FTK to carve them. The scripts would then be saved in text files. When the tool runs, it should first check the format of each script. If the script was in the right format, the tool should

[3]

[4]

775

A. Acquisti and R. Gross, “Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook,” in Privacy Enhancing Technologies, vol. 4258/2006, Springer, 2006, pp. 3658. MSNBC, “Red Tape - Facebook ID theft targets „friends‟,” 30Jan-2009. [Online]. Available: http://redtape.msnbc.msn.com/_news/2009/01/30/6345792facebook-id-theft-targets-friends. [Accessed: 26-May-2011]. Action Fraud, “Profile stalking Facebook scam,” 23-May-2011. [Online]. Available: http://www.actionfraud.org.uk/profilestalking-facebook-scam-may11. [Accessed: 26-May-2011]. D. Bates, “Facebook cyberbullying: Schoolgirls arrested „for creating fake page with naked pictures‟,” Mail Online, 14-Jan2011. [Online]. Available: http://www.dailymail.co.uk/news/article-1347034/Facebookcyberbullying-Schoolgirls-arrested-creating-fake-page-nakedpictures.html. [Accessed: 26-May-2011].

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

Facebook, “Statistics.” [Online]. Available: http://www.facebook.com/press/info.php?statistics. [Accessed: 26May-2011]. S. Al Rumaithi, “Facebook registers record number of surfers in UAE,” TopNews Arab Emirates. [Online]. Available: http://topnews.ae/content/21620-facebook-registers-recordnumber-surfers-uae. [Accessed: 26-May-2011]. Belkasoft, “Digital Forensics - Forensic Investigation of Instant Messenger Histories,” Forensic Focus. [Online]. Available: http://www.forensicfocus.com/forensic-investigation-of-instantmessenger-histories. [Accessed: 26-May-2011]. M. Dickson, “An examination into MSN Messenger 7.5 contact identification,” Digital Investigation, vol. 3, no. 2, pp. 79-83, Jun. 2006. M. Dickson, “An examination into Yahoo Messenger 7.0 contact identification,” Digital Investigation, vol. 3, no. 3, pp. 159-165, Sep. 2006. M. Dickson, “An examination into AOL Instant Messenger 5.5 contact identification,” Digital Investigation, vol. 3, no. 4, pp. 227237, Dec. 2006. M. Dickson, “An examination into Trillian basic 3.x contact identification,” Digital Investigation, vol. 4, no. 1, pp. 36-45, Mar. 2007. W. van Dongen, “Forensic artefacts left by Windows Live Messenger 8.0,” Digital Investigation, vol. 4, no. 2, pp. 73-87, Jun. 2007.

[13] [14]

[15]

[16]

[17]

[18] [19]

776

W. van Dongen, “Forensic artefacts left by Pidgin Messenger 2.0,” Digital Investigation, vol. 4, no. 3-4, pp. 138-145, Sep. 2007. Y. Gao and T. Cao, “Memory Forensics for QQ from a Live System,” Journal of Computers, vol. 5, no. 4, pp. 541-548, Apr. 2010. M. Simon and J. Slay, “Recovery of Skype Application Activity Data from Physical Memory,” in 2010 International Conference on Availability, Reliability and Security, Krakow, Poland, 2010, pp. 283-288. M. Simon and J. Slay, “What are you Looking for: Identification of Remnant Communication Artefacts in Physical Memory,” in Proceedings of the 1st International Cyber Resilience Conference, Perth, Australia, 2010, pp. 83-89. M. Kiley, S. Dankner, and M. Rogers, “Forensic Analysis of Volatile Instant Messaging,” in Advances in Digital Forensics IV, vol. 285, Boston: Springer, 2008, pp. 129-138. J. Reust, “Case study: AOL instant messenger trace evidence,” Digital Investigation, vol. 3, no. 4, pp. 238-243, Dec. 2006. M. I. Husain and R. Sridhar, “iForensics: Forensic Analysis of Instant Messaging on Smart Phones,” in Digital Forensics and Cyber Crime, vol. 31, Springer, 2010, pp. 9-18.