Recover Social Network Conversations

Recover Social Network Conversations with Belkasoft Evidence Center

Conversations occurring in most social networks are not an easy target. Recovering social network conversations is not as simple as analyzing the logs (there aren’t any) or carving the hard drive. Instead, investigators who want to extract remnants of social network communications are forced to rely on Live RAM analysis, a feature of Belkasoft Evidence Center Professional and Forensic Studio Ultimate.

Social Network Conversations: What Can Be Extracted

Professional and Ultimate editions of Belkasoft Evidence Center can extract social network conversations by performing a Live RAM analysis of the PC, including the analysis of memory dumps (snapshots of volatile memory), paging files (pagefile.sys) and hibernation file (hiberfile.sys).

So what kind of data can actually be recovered? For most social networks such as Facebook and Twitter, Belkasoft Evidence Center can recover conversation threads and individual chat messages. For certain social networks such as Facebook some mail messages sent and received with Internet Explorer, Google Chrome and Firefox can be also recovered. Available information may include sender and recipient information complete with their nicknames and account numbers, where applicable; date and time, subject and message body, as well as sender’s photo link, link to a profile and last updated time.

Recovering Social Network Remnants via Live RAM Analysis: The Limitations

Information about social network chats and communications does not normally end up on the hard drive with possible exceptions of paging and hibernation files. Therefore, Live RAM analysis is the only way to extract social network communications. Due to the very nature of volatile memory, the amount of information available through Live RAM analysis is inherently limited. Large amounts of extracted evidence should not be expected with Live RAM carving, as the computer’s volatile memory only contains the most recent data at the time the computer is running. This data may be destroyed or overwritten at any time. However, even a small amount of the most recent information can be much better than nothing at all.

How To Extract Social Network Conversations

In order to recover social network communications, click on the Carve Device button from the toolbar, then choose a source drive to carve:

Specify the type of data to carve for by selecting appropriate check boxes under the Social Networks thread. For example, in order to recover Facebook communication history, mark Facebook under the Social Networks check box.

More information about recovering social network messages is available at Carving and Live RAM analysis.

Compare editions or download the free evaluation version.

Articles

BelkaScript: How to Get Most out of Digital Forensic Software

Digital investigator nowadays has access to a wide array of solid forensic tools. Some of them offer mobile forensics only, some help with computer or laptop analysis, some – like Belkasoft Evidence Center – support all types of devices, but the ... Read more

The Future of Mobile Forensics: November 2015 Follow-up

Mobile forensics is a moving target. In our recent article, “The Future of Mobile Forensics”, we described acquisition techniques that used to be state-of-the art back then. Weeks later, some things have changed already. Three months after ... Read more

Subscribe to our Newsletter