Recover Social Network Conversations

Recover Social Network Conversations with Belkasoft Evidence Center

Conversations occurring in most social networks are not an easy target. Recovering social network conversations is not as simple as analyzing the logs (there aren’t any) or carving the hard drive. Instead, investigators who want to extract remnants of social network communications are forced to rely on Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.

Social Network Conversations: What Can Be Extracted

Professional and Ultimate editions of Belkasoft Evidence Center can extract social network conversations by performing a Live RAM analysis of the PC, including the analysis of memory dumps (snapshots of volatile memory), paging files (pagefile.sys) and hibernation file (hiberfile.sys).

So what kind of data can actually be recovered? For most social networks such as Facebook and Twitter, Belkasoft Evidence Center can recover conversation threads and individual chat messages. For certain social networks such as Facebook some mail messages sent and received with Internet Explorer, Google Chrome and Firefox can be also recovered. Available information may include sender and recipient information complete with their nicknames and account numbers, where applicable; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.

Recovering Social Network Remnants via Live RAM Analysis: The Limitations

Information about social network chats and communications does not normally end up on the hard drive with possible exceptions of paging and hibernation files. Therefore, Live RAM analysis is the only way to extract social network communications. Due to the very nature of volatile memory, the amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.

How To Extract Social Network Conversations

In order to recover social network communications, click on the Carve Device button from the toolbar, then choose a source drive to carve:

Specify the type of data to carve for by selecting appropriate check boxes under the Social Networks thread. For example, in order to recover Facebook communication history, mark Facebook under the Social Networks check box.

More information about recovering social network messages is available at Carving and Live RAM analysis.

Compare editions or download the free evaluation version.

Articles

Catching the ghost: how to discover ephemeral evidence with Live RAM analysis

Many types of evidence are only available in computer’s volatile memory. However, until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice, ... Read more

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police ... Read more

Subscribe to our Newsletter