Recover Social Network Conversations

Recover Social Network Conversations with Belkasoft Evidence Center

Conversations occurring in most social networks are not an easy target. Recovering social network conversations is not as simple as analyzing the logs (there aren’t any) or carving the hard drive. Instead, investigators who want to extract remnants of social network communications are forced to rely on Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.

Social Network Conversations: What Can Be Extracted

Professional and Ultimate editions of Belkasoft Evidence Center can extract social network conversations by performing a Live RAM analysis of the PC, including the analysis of memory dumps (snapshots of volatile memory), paging files (pagefile.sys) and hibernation file (hiberfile.sys).

So what kind of data can actually be recovered? For most social networks such as Facebook and Twitter, Belkasoft Evidence Center can recover conversation threads and individual chat messages. For certain social networks such as Facebook some mail messages sent and received with Internet Explorer, Google Chrome and Firefox can be also recovered. Available information may include sender and recipient information complete with their nicknames and account numbers, where applicable; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.

Recovering Social Network Remnants via Live RAM Analysis: The Limitations

Information about social network chats and communications does not normally end up on the hard drive with possible exceptions of paging and hibernation files. Therefore, Live RAM analysis is the only way to extract social network communications. Due to the very nature of volatile memory, the amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.

How To Extract Social Network Conversations

In order to recover social network communications, click on the Carve Device button from the toolbar, then choose a source drive to carve:

Specify the type of data to carve for by selecting appropriate check boxes under the Social Networks thread. For example, in order to recover Facebook communication history, mark Facebook under the Social Networks check box.

More information about recovering social network messages is available at Carving and Live RAM analysis.

Compare editions or download the free evaluation version.

Articles

"Does your DFIR tool have substantial updates?"

In his new article, Brett Shavers from DFIR.training talks about new features of Belkasoft Evidence Center 9.7. He notes that "BEC’s v9.7 update adds quite a few artifacts that some suites don’t even try to examine". He overviews the most ... Read more

Unc0ver: What you should know about this new jailbreak for iOS devices

Unc0ver is a relatively popular jailbreak developed by the unc0ver team. In this article, we intend to examine the unc0ver jailbreak for purposes in the digital forensics field. We will describe unc0ver’s properties and also walk you through a ... Read more

Subscribe to our Newsletter