Extract Facebook Conversations with Belkasoft Evidence Center
Extracting Facebook conversations from a PC under investigation is never easy,
as no PC application such as “Facebook IM” or “Facebook Messenger” exists (only
mobile Facebook Manager apps are available). There are no application, no history
database and no log files stored on the hard drive. Therefore, extracting Facebook
conversations is only possible via Live RAM analysis, a feature of Belkasoft Evidence
Center Professional and Forensic Studio Ultimate.
Facebook Conversations: What Can Be Extracted
Belkasoft Evidence Center extracts Facebook conversations by performing a Live
RAM analysis of the PC. This includes the analysis of the computer’s volatile memory
snapshots as well as the investigation of pagefile.sys and hiberfile.sys files found
on the computer’s hard drive(s).
So what exactly can be extracted? Belkasoft Evidence Center can locate chat messages
and Facebook mail messages sent and received with Internet Explorer, Google Chrome
and Firefox. Available information includes sender and recipient information complete
with their nicknames and Facebook account numbers; date and time, subject and message
body, as well as sender’s photo link, link to a profile and last updated time.
Historically, certain information about Facebook profiles could be extracted
before September, 2011 if Internet Explorer was used. The profile information files
ended up in IE cache, and could be extracted from the cache with Belkasoft Evidence
Center. At this time, however, this is not the case, as Facebook fixed this around
September, 2011.
In addition to Facebook conversations, Belkasoft Evidence Center can perform
Live RAM analysis of Facebook Newsfeeds. The analysis works if either Internet Explorer
or Google Chrome was engaged. News messages as well as the name, sometimes accompanied
by the ID and link of the person who posted a message can be extracted. Additionally,
it is sometimes possible to extract additional information such as IDs or links
to people or places mentioned in the news message. In some cases the time of the
news message can be also extracted.
For Google Chrome only, Belkasoft Evidence Center can perform Live RAM analysis
to locate and extract Facebook photo albums. Album name, link, the place it is connected
to, time and last updated time, the name of the person who posted and photos links
can be extracted.
Limitations of Facebook Live RAM Analysis
The amount of information available through Live RAM analysis is inherently limited.
Large amounts of extracted evidence should not be expected with Live RAM carving,
as the computer’s volatile memory only contains the most recent data used by various
applications at the time the computer is running. This data may be destroyed or
overwritten at any time. However, even a small amount of the most recent information
can be much better than nothing at all.
How To Extract Facebook Messages
In order to engage Facebook carving, click on the Carve Device button from the toolbar,
then choose a source drive to carve:
Finally, you’ll need to specify the type of data to carve for. In order to carve
Facebook communication history, mark Facebook under the Social Networks check box.
More information about Facebook message carving is available at
Carving and Live RAM analysis.
Compare editions or download the free evaluation version.
