Recover Social Network Conversations

Recover Social Network Conversations with Belkasoft Evidence Center

Conversations occurring in most social networks are not an easy target. Recovering social network conversations is not as simple as analyzing the logs (there aren’t any) or carving the hard drive. Instead, investigators who want to extract remnants of social network communications are forced to rely on Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.

Social Network Conversations: What Can Be Extracted

Professional and Ultimate editions of Belkasoft Evidence Center can extract social network conversations by performing a Live RAM analysis of the PC, including the analysis of memory dumps (snapshots of volatile memory), paging files (pagefile.sys) and hibernation file (hiberfile.sys).

So what kind of data can actually be recovered? For most social networks such as Facebook and Twitter, Belkasoft Evidence Center can recover conversation threads and individual chat messages. For certain social networks such as Facebook some mail messages sent and received with Internet Explorer, Google Chrome and Firefox can be also recovered. Available information may include sender and recipient information complete with their nicknames and account numbers, where applicable; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.

Recovering Social Network Remnants via Live RAM Analysis: The Limitations

Information about social network chats and communications does not normally end up on the hard drive with possible exceptions of paging and hibernation files. Therefore, Live RAM analysis is the only way to extract social network communications. Due to the very nature of volatile memory, the amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.

How To Extract Social Network Conversations

In order to recover social network communications, click on the Carve Device button from the toolbar, then choose a source drive to carve:

Specify the type of data to carve for by selecting appropriate check boxes under the Social Networks thread. For example, in order to recover Facebook communication history, mark Facebook under the Social Networks check box.

More information about recovering social network messages is available at Carving and Live RAM analysis.

Compare editions or download the free evaluation version.

Articles

I Have Been Hacked

This article was inspired by an active discussion in one of the forensic listservs. Original post was asking on how to fight with an argument “This is not me, this is a malware”. The suspect was allegedly downloading and viewing illicit child ... Read more

Acquiring Windows PCs

In this publication, we will talk about the acquisition of Windows computers – desktops and laptops. This class of devices has their own share of surprises when it comes to acquisition. The obvious path of acquiring a Windows PC has always ... Read more

Subscribe to our Newsletter