Lab: Social Network Artifacts 2023

Today we will learn about Lab: Social Network Artifacts.

Introduction to Lab: Social Network Artifacts:

In this lab we will use Santoku Linux with Bless hex editor to extract Facebook artifacts from Windows 7 memory dump.

The main goal of this lab is to find evidence of Facebook activities from a volatile memory dump and it’s all about knowing the format of the Facebook protocol used that can appear in a RAM dump.

Facebook may actually be cached on disk/RAM and the examiner could get some evidence like the following:

• Comments
• News / Chats
• Contacts

Figuring this out requires identifying the JSON or HTML tags used for each kind of data. The following is a description of how all the above data is stored in the RAM cache

Facebook data formats

Facebook comments:

The structure of comments is quite confusing and time-consuming to analyze (as, in fact, most data on Facebook) because it contains everything related to the commented post and everyone who responded to the post. The basic commentary is structured like this:

“comments”: [{

“body”: {

“text”: “COMMENT IS HERE”,

“scopes”: [],

“aggregatedranges”: []

},

“isfeatured”: false,

“likecount”: 0,

“hasviewerlike”: false,

“canremove”: true

“canreport”: true,

“canedit”: false,

“isauthorweakreference”: false,

“itranslatable”: false,

“audience”: true,

“cancomment”: true,

“spamreplycount”: 0,

“commentshareuri”: “/ajax/sharer/?s=69&appid=RANDOM ID&id= COMMENT ID &pu00255B0u00255D= POST ID “,

“canembed”: false,

“id”: “ POST ID _ COMMENT ID “,

“fbid”: “COMMENT ID”,

“legacyid”: “COMMENT ID”,

“author”: “COMMENT
AUTHOR PROFILE ID”,

“ftentidentifier”: “POST ID”,

“source”: 3,

“highlighted comment”: false,

“timestamp”: {

“time”: 1462374818,

“text”: “Yesterday at 16:13”,

“verbose”: “Wednesday, May 4, 2016 at 4:13 pm”

}

}

Facebook messages and chats:

It is not possible to recover every conversation because it is unlikely to find all of them cached or loaded into volatile memory. The JSON structure of Facebook messages and conversations looks like this:

{

“message_id”: “mid.1462213293948:fa2e2453d700e5a934”,

“thread_id”: null,

“offline_threading_id”: “6132952131090314292”,

“author”: “fbid: SENDER FACEBOOK ID”,

“author_email”: “ FACEBOOK ID SENDER u0040facebook.com”,

“ephemeral_ttl_mode”: null,

“timestamp”: 1462213293954,

“timestamp_absolute”: “Monday”,

“timestamp_relative”: “Mon”,

“timestamp_datetime”: “Monday 19:21”,

“timestamp_time_passed”: 1,

“is_unread”: false,

“is_forward”: false,

“is_filtered_content”: false,

“is_filtered_content_bh”: false,

“is_filtered_content_account”: false,

“is_filtered_content_quasar”: false,

“is_filtered_content_invalid_app”: false,

“is_sponsored”: false,

“commerce_message_type”: null,

“forward_count”: 0,

“forward_message_ids”: [],

“source”: “source:chat:web”,

“source_tags”: [“source:chat”],

“tags”: [“inbox”,

“source:chat:web”,

“cg-enabled”],

“is_spoof_warning”: false,

“folder”: “inbox”,

“thread_fbid”: “FACEBOOK SENDER ID”,

“other_user_fbid”: “ FACEBOOK ID SUBMITTED “,

“points”: “MESSAGES OR CHAT GO HERE”,

“subject”: “message subject”,

“has_attachment”: false,

“Side dishes”: [],

“raw_attachments”: null,

“scopes”: [],

“meta_ranges”: null,

“thread_id”: “0ShVpOpXKCiRUkL8JxoXdg”,

“action_type”: “ma-type:user-generated-message”

}

Facebook contacts:

Contacts appearing on the ticker and some of the last active contacts can also be restored, all contacts are defined as follows:

“CONTACT ID”: {

“id”: “CONTACT ID”,

“name”: “CONTACT NAME”,

“first name”: “CONTACT NAME”,

“vanity”: “CONTACT NAME THEIR NAME”,

“thumbSrc”: “LINK TO CONTACT PROFILE PIC”,

“uri”: “https://www.facebook.com/ CONTACT NAME NAME “,

“gender”: 2,

“i18nGender”: 16777216,

“type”: “friend”,

“is_friend”: true

“mThumbSrcSmall”: null,

“mThumbSrcLarge”: null,

“dir”: null,

“searchTokens”: [“XXX”,

“YYYY”,

“ZZ”],

“Alternate name”: “”,

“is_nonfriend_messenger_contact”: false

}

searchTokens are words or parts of words that can be used in a search form to find a user. Assuming my Facebook name is Soufiane Tahiri, the tokens can be “Souf”, “Soufiane” and “Tahiri”, no matter which you enter, you will get suggestions that can lead to finding my profile if I am in your friends list.

All bold text is variable, so we can’t use it to find artifacts.Also Read:Everything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023

Artifact recovery

The first thing you need to do is install a hex editor to manually analyze our memory dump. In this lab we will be using “Bless”, a binary (hexadecimal) editor, a program that allows you to edit files as a sequence of bytes (https://apps.ubuntu.com/cat/applications/bless/ )

In a terminal window, enter the following command:

sudo apt-get install bless, if prompted for a password, enter the password you used to login to your VM as follows:

Once the hexadecimal editor is installed, run Bless by typing bless and hitting enter in the same terminal window as follow:

From the main GUI of Bless, click on File->Open and load your raw image (the memory dump you want to examine)

Like the following:

Now we are ready to start searching for our artifacts.

To restore Facebook comments:

As explained in the previous section, Facebook comments can be identified by the following fixed value:

comments”: [{

"body": {
    "text":

In the Bless window, click Search > Find

Then type in the search field “comments”:[{“body”:{“text”:” and
choose “Text” on type of input we are giving to the editor:

Click on Find Next or simply hit enter:

The following “text”: our comment arrives and all the data needed to trace back the comment can be retrieved and we can use different IDs generating valid URLs to visit the commenter’s profile and possibly view the POST comment.

To restore Facebook messages and chats:

Since Facebook messages and chats are structured in the same way, they can be recovered by looking up a fixed string based on the previously given JSON structure: {“message_id”:”mid. We did the same with comments:

As you can see in addition to the message or chat body, everything about chats and messages can be recovered, including the author’s Facebook profile ID, the time it was sent, whether the message or chat message was read or not, its subject, and whether it was sent from a website or smartphone app .

To restore Facebook contacts:

Not every contact can be restored from the memory dump, most of the contacts that can be restored are mainly the last active friends and friends with whom the profile owner recently communicated.

Contact recovery can be successful by searching the string “uri”:”https://www.facebook.com/

All results are mostly grouped in the same place, by parsing the rows after the first hit you can find details about all friends including links to their respective profiles, their profile ID, first and last name…

Final words

Facebook happens to change the way it generates JSON, it’s worth analyzing before starting any investigation and will help any investigator identify stored artifacts in a memory dump.