Recover Social Network Conversations

Recover Social Network Conversations with Belkasoft Evidence Center

Conversations occurring in most social networks are not an easy target. Recovering social network conversations is not as simple as analyzing the logs (there aren’t any) or carving the hard drive. Instead, investigators who want to extract remnants of social network communications are forced to rely on Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.

Social Network Conversations: What Can Be Extracted

Professional and Ultimate editions of Belkasoft Evidence Center can extract social network conversations by performing a Live RAM analysis of the PC, including the analysis of memory dumps (snapshots of volatile memory), paging files (pagefile.sys) and hibernation file (hiberfile.sys).

So what kind of data can actually be recovered? For most social networks such as Facebook and Twitter, Belkasoft Evidence Center can recover conversation threads and individual chat messages. For certain social networks such as Facebook some mail messages sent and received with Internet Explorer, Google Chrome and Firefox can be also recovered. Available information may include sender and recipient information complete with their nicknames and account numbers, where applicable; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.

Recovering Social Network Remnants via Live RAM Analysis: The Limitations

Information about social network chats and communications does not normally end up on the hard drive with possible exceptions of paging and hibernation files. Therefore, Live RAM analysis is the only way to extract social network communications. Due to the very nature of volatile memory, the amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.

How To Extract Social Network Conversations

In order to recover social network communications, click on the Carve Device button from the toolbar, then choose a source drive to carve:

Specify the type of data to carve for by selecting appropriate check boxes under the Social Networks thread. For example, in order to recover Facebook communication history, mark Facebook under the Social Networks check box.

More information about recovering social network messages is available at Carving and Live RAM analysis.

Compare editions or download the free evaluation version.

Articles

Countering Anti-Forensic Efforts - Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same ... Read more

Forensic Analysis of SQLite Databases: Free Lists, Write Ahead Log, Unallocated Space and Carving

SQLite is a widely popular database format that is used extensively pretty much everywhere. Both iOS and Android employ SQLite as a storage format of choice, with built-in and third-party applications relying on SQLite to keep their data. A wide ... Read more

Subscribe to our Newsletter