For this lab, we’ll be using Santoku Linux with Bless hexadecimal editor to extract Facebook Artifacts from a Windows 7 memory dump.

The main objective of this lab is to find evidence of Facebook activities from a volatile memory dump, and it’s all about knowing the format of the Facebook protocol used and that may appear in a RAM dump.

Facebook can be in fact cached on disk / RAM, and an examiner could recover some evidence like the following:

Comments

Messages / Chats

Contacts

Finding out this requires identifying JSON protocol or HTML tags used for each kind of data. Following describes how each of the previously said data is cached in RAM

Facebook data formats

Facebook Comments:

The comment structure is quite confusing and time-consuming to analyze (as most of Facebook data in fact) since it contains everything related to the post being commented and everyone that reacted to the post. A basic comment is structured as follow:

“comments”: [{

“body”: {

“text”: “THE COMMENT IS HERE“,

“ranges”: [],

“aggregatedranges”: []

},

“isfeatured”: false,

“likecount”: 0,

“hasviewerliked”: false,

“canremove”: true,

“canreport”: true,

“canedit”: false,

“isauthorweakreference”: false,

“istranslatable”: false,

“viewercanlike”: true,

“cancomment”: true,

“spamreplycount”: 0,

“commentshareuri”: “\/ajax\/sharer\/?s=69&appid=RANDOM ID&id= COMMENT ID &p\u00255B0\u00255D= POST ID “,

“canembed”: false,

“id”: “ POST ID _ COMMENT ID “,

“fbid”: “ COMMENT ID “,

“legacyid”: “ COMMENT ID “,

“author”: “COMMENT
AUTHOR PROFILE ID“,

“ftentidentifier”: “POST ID“,

“source”: 3,

“highlightcomment”: false,

“timestamp”: {

“time”: 1462374818,

“text”: “Yesterday at 16:13”,

“verbose”: “Wednesday, 4 May 2016 at 16:13”

}

}

Facebook Messages and Chats:

It’s not possible to recover every chat conversation since it’s not likely to find them all cached or loaded on volatile memory. The JSON structure of Facebook Messages and conversations looks like the following:

{

“message_id”: “mid.1462213293948:fa2e2453d700e5a934”,

“threading_id”: null,

“offline_threading_id”: “6132952131090314292”,

“author”: “fbid: SENDER FACEBOOK ID “,

“author_email”: “ SENDER FACEBOOK ID \u0040facebook.com”,

“ephemeral_ttl_mode”: null,

“timestamp”: 1462213293954,

“timestamp_absolute”: “Monday”,

“timestamp_relative”: “Mon”,

“timestamp_datetime”: “Monday 19:21”,

“timestamp_time_passed”: 1,

“is_unread”: false,

“is_forward”: false,

“is_filtered_content”: false,

“is_filtered_content_bh”: false,

“is_filtered_content_account”: false,

“is_filtered_content_quasar”: false,

“is_filtered_content_invalid_app”: false,

“is_sponsored”: false,

“commerce_message_type”: null,

“forward_count”: 0,

“forward_message_ids”: [],

“source”: “source:chat:web”,

“source_tags”: [“source:chat”],

“tags”: [“inbox”,

“source:chat:web”,

“cg-enabled”],

“is_spoof_warning”: false,

“folder”: “inbox”,

“thread_fbid”: “SENDER FACEBOOK ID“,

“other_user_fbid”: “ SENDER FACEBOOK ID “,

“body”: “MESSAGE OR CHAT GOES HERE“,

“subject”: “MESSAGE SUBJECT“,

“has_attachment”: false,

“attachments”: [],

“raw_attachments”: null,

“ranges”: [],

“meta_ranges”: null,

“thread_id”: “0ShVpOpXKCiRUkL8JxoXdg”,

“action_type”: “ma-type:user-generated-message”

}

Facebook Contacts:

Contacts figuring on the ticker and some of the latest active contacts can be as well recovered, all contacts are defined like the following:

CONTACT ID“: {

“id”: “ CONTACT ID “,

“name”: “CONTACT NAME“,

“firstName”: “ CONTACT FIRST NAME“,

“vanity”: “CONTACT VANITY NAME“,

“thumbSrc”: “LINK TO CONTACTS PROFILE’S PICTURE“,

“uri”: “https:\/\/www.facebook.com\/ CONTACT VANITY NAME “,

“gender”: 2,

“i18nGender”: 16777216,

“type”: “friend”,

“is_friend”: true,

“mThumbSrcSmall”: null,

“mThumbSrcLarge”: null,

“dir”: null,

“searchTokens”: [“XXX“,

YYYY“,

ZZ“],

“alternateName”: “”,

“is_nonfriend_messenger_contact”: false

}

searchTokens are words or part of words that could be used in search form to find the user. Assuming my name on Facebook is Soufiane Tahiri, Tokens can be “Souf”, “Soufiane” and “Tahiri”, whatever which one you type you’ll get suggestions that may lead to find my profile if I’m in your friends list.

All bolded text is variable, so we cannot use it to find artifacts.

Recovering artifacts

The first thing to do is installing a hexadecimal editor in order to analyze our memory dump manually. In this lab, we’ll be using “Bless”, a binary (hex) editor, a program that enables you to edit files as a sequence of bytes (https://apps.ubuntu.com/cat/applications/bless/)

From your terminal window type in the following command:

sudo apt-get install bless if asked for a password type in the password you used to login to your VM as follow:


Once the hexadecimal editor is installed, run Bless by typing bless and hitting enter in the same terminal window as follow:


From the main GUI of Bless, click on File->Open and load your raw image (the memory dump you want to examine)


Ethical Hacking Training – Resources (InfoSec)

Like the following:


Now we are ready to start looking for our artifacts.

Recovering Facebook Comments:

As explained in the previous section, comments on Facebook could be identified by the following fixed value:

comments”: [{

    “body”: {

        “text”:

On Bless window click on Search > Find


Then type in the search field “comments”:[{“body”:{“text”:” and
choose “Text” on type of input we are giving to the editor:

Click on Find Next or simply hit enter:

Following “text”: comes our comment and all data required to track back the comment can be recovered, and we can use different IDs generate valid URLs to visit commenter’s profile and eventually see the POST being commented.

Recovering Facebook Messages and Chats:

Since Facebook Messages and Chats are structured the same way, they can be recovered by searching the fixed string based on the previously given JSON structure: {“message_id”:”mid. The same way we did with comments:

As you can see in addition to the message or chat body, regarding chats and messages everything could be recovered including author’s Facebook profile ID, sending time, if the message or chat message was read or not, its subject and whether it was sent from the web or a smartphone application.

Recovering Facebook Contacts:

Not every contact could be recovered from a memory dump, most of the contacts that could be recovered are mainly last active friends and friends with whom the profile owner has recently interacted with.

Recovering contacts can be successful by looking for the string “uri”:”https:\/\/www.facebook.com\/

All results are mostly grouped in the same location, by analyzing lines after the first hit you can find all friends details including links to their respective profiles, their profile’s IDs, first and last names…

Final words

It happens that Facebook changes the way they generate JSON, analyzing this before starting any investigation is worthy and will assist any investigator to identify stored artifacts in a memory dump.