Extract Facebook Conversations with Belkasoft Evidence Center
Extracting Facebook conversations from a PC under investigation is never easy, as no PC application such as “Facebook IM” or “Facebook Messenger” exists (only mobile Facebook Manager apps are available). There are no application, no history database and no log files stored on the hard drive. Therefore, extracting Facebook conversations is only possible via Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.
Facebook Conversations: What Can Be Extracted
Belkasoft Evidence Center extracts Facebook conversations by performing a Live RAM analysis of the PC. This includes the analysis of the computer’s volatile memory snapshots as well as the investigation of pagefile.sys and hiberfile.sys files found on the computer’s hard drive(s).
So what exactly can be extracted? Belkasoft Evidence Center can locate chat messages and Facebook mail messages sent and received with Internet Explorer, Google Chrome and Firefox. Available information includes sender and recipient information complete with their nicknames and Facebook account numbers; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.
Historically, certain information about Facebook profiles could be extracted before September, 2011 if Internet Explorer was used. The profile information files ended up in IE cache, and could be extracted from the cache with Belkasoft Evidence Center. At this time, however, this is not the case, as Facebook fixed this around September, 2011.
In addition to Facebook conversations, Belkasoft Evidence Center can perform Live RAM analysis of Facebook Newsfeeds. The analysis works if either Internet Explorer or Google Chrome was engaged. News messages as well as the name, sometimes accompanied by the ID and link of the person who posted a message can be extracted. Additionally, it is sometimes possible to extract additional information such as IDs or links to people or places mentioned in the news message. In some cases the time of the news message can be also extracted.
For Google Chrome only, Belkasoft Evidence Center can perform Live RAM analysis to locate and extract Facebook photo albums. Album name, link, the place it is connected to, time and last updated time, the name of the person who posted and photos links can be extracted.
Limitations of Facebook Live RAM Analysis
The amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data used by various applications at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.
How To Extract Facebook Messages
In order to engage Facebook carving, click on the Carve Device button from the toolbar, then choose a source drive to carve:
Finally, you’ll need to specify the type of data to carve for. In order to carve Facebook communication history, mark Facebook under the Social Networks check box.
More information about Facebook message carving is available at Carving and Live RAM analysis.
Compare editions or download the free evaluation version.
