Professional Documents
Culture Documents
Browser Analysis of Residual Facebook Data
Browser Analysis of Residual Facebook Data
Abstract—As social media applications such as Facebook questions about the way that browsers interact with social media
become an integral part of our society, they are also becoming an sites and the types of residual data that are resident after these
important source of information in a digital (forensics) interactions [5-7]. A recent article in government technology
investigation. In this paper, we examine the potential to recover acknowledges that information posted publicly on social media
artifacts of forensic interest after three popular browsers, namely: sites is legally admissible in criminal investigations [8]. While
Mozilla Firefox, Google Chrome and Internet Explorer, have been postings on social media outlet prompts investigations into
used to access Facebook. Findings from this research will everyone from high school students to police officers [9, 10],
hopefully contribute to a better understanding to mobile device questions arise as to how evidence is acquired when social
and app forensics.
media data is either not public or has been removed from a
Keywords—Digital forensics, Mobile forensics, Mobile app
particular social media site. Web browsers, such as Mozilla
forensics, Browser forensics, Facebook forensics Firefox, Google Chrome and Internet Explorer, provide end-
users with access to their social media accounts across a wide
range of devices. This perverseness makes them interesting from
I. INTRODUCTION an investigation perspective. In addition, forensic artifacts from
The continued assimilation of social media into all aspects browsers may complement evidence from the analysis of the
of life is blatantly visible in today’s networked societies. Statista specific social network app, such as Facebook.
estimates that by the end of 2019 there will be approximately
As noted by Statista [11], Facebook is the dominate social
2.77 billion social media users worldwide and that this number
media provider. These queries prompted a preliminary
will increase to around 3.02 billion by the end of 2021 [1]. This
investigation into the forensic analysis of residual information
escalation creates opportunities for legitimate revenue streams,
that is resident on browsers that have interacted with the
dissemination of false news and augmentation of digital
Facebook social networking platform. Specifically, in this
investigation capabilities. It was also estimated that revenue
paper, we investigate Mozilla Firefox, Google Chrome and
from social media will reach 39 billion Euros by the end of 2019
Internet Explorer browsers that interact with Facebook over a
[2]. Gartner predicts that individuals in mature markets will
two-week timeline. Individual categories are documented for
consume more “fake news” than factual information by 2022
comparison purposes to indicate which browsers retain the
[3]. As social media application (app) functionality increases,
largest amount of data.
new opportunities for residual data generation emerge. A recent
article indicates that Facebook is testing the ability to upload 24- The contributions of this research are two-fold.
hour self-deleting logs from desktop browsers [4].
1. Provides a proof-of-concept that different browsers
The reality is that social networking apps can be used in retain various amounts of data when they interact with
today’s society for a host of unpleasant and/or potentially illegal social media sites.
activities like bullying, stalking harassment and slander.
Coupling this reality with research indicating that residual data, 2. Contributes to discussions about documentation and
in general, is increasingly being introduced into legal contexts, evidentiary artifacts generated through social media
along with the legal implications for researchers, raises interactions while highlighting the importance of
verifying residual data artifacts.
1441
Forensic Toolkit (FTK) Version 4.1.0.12 was utilized for the TABLE II. FIREFOX
data acquisition. Actions Performed - FF Evidence Found - FF Category Found % - FF
Account Creation 2 2 100%
The experiment took place in three stages that included Image Upload 2 2 100%
Facebook profile creation, data generation and data extraction. Text Write 38 12 32%
The evidence was determined to be discovered if there was a Searches
Chat Messages
4
6
4
0
100%
0%
match between keywords found and the activities performed, as Wall Posts 24 4 17%
well as by the matching of the recorded date/time stamps. Profile Information 4 4 100%
Text Read 18 11 61%
In the profile creation stage, three Facebook accounts were Wall Posts/Comments 12 10 83%
created using three separate browsers. The three accounts that Chat Messages
Profile/Page View
5
1
0
1
0%
100%
were created on each browser were Fred Fox, Chris Chrome and Login 1 1 100%
Bob IE. The data generation stage consisted of a number of Session End/Logout 0 0 0%
photo uploaded, comments, statuses, and created groups. The Total 61 28 46%
1442
Detailed extraction results for the Chrome browser are available TABLE IV. INTERNET EXPLORER
in Table III - Google Chrome. During the analysis of the Actions Performed - IE Evidence Found - IE Category Found % - IE
extraction result it was observed that two paths provided Account Creation 2 0 0%
Image Upload 3 3 100%
valuable residual artifacts that included: Text Write 8 4 50%
Searches 4 4 100%
• FacebookChrome .001/Partition 1/NONAME [NTFS]/ Chat Messages 1 0 0%
[root]/sers/FTKuser/AppData/Local/Google/Chrome/User Wall Posts
Profile Information
3
0
0
0
0%
0%
Data/Default/History Text Read 11 5 45%
Wall Posts/Comments 4 1 25%
• FacebookChrome .001/Partition 1/NONAME [NTFS]/ Chat Messages 3 0 0%
Profile/Page View 4 4 100%
[root]/Users/FTKuser/AppData/Local/Google/Chrome/Us Login 2 2 100%
er Data/Default/Cache Session End/Logout 1 0 0%
Total 27 14 52%
1443
TABLE V. IE RESIDUAL DATA LOCATIONS Forensically sound data extraction toolkit: Future work
Evidence will also investigate designing a forensically sound data
Action Description Action Details Evidence Location
Description extraction toolkit that can be used to automate the collection of
uploaded profile
C:\Users\trey.osbor
data from browser applications on personal computers, laptops,
Found image n\AppData\Local\Te
photo
mp\adtemp\ad_tm mobile devices and virtual machines.
facebookIEimage.00
1\Partition
Machine learning-aided forensics: Another extension of
2\NONAME this work is to explore the use of machine learning algorithms to
searched for chris Found keyword
chrome search
[NTFS]\[root]\Users aid investigators in the identification and establishment of action
\Administrator\App
intent. The result of this future work could perceivably provide
Data\Local\Microsof
t\Windows\Tempor data that encourages additional investigation, creation, and
searched for and Found evidence of implementation of more efficient and effective solutions for
sent chris chrome being a friend with extracting social media residual data.
accepted friend Found evidence of
request from fred Fred Fox profile
fox including From
1444
Networks and Applications, journal article vol. 22, no. 2, pp. 240-254, [37] S. Mahaju and T. Atkison, "Evaluation of Firefox Browser Forensics
April 2017. Tools," in Annual ACM Southeast Conference Featuring
[16] M. Taylor, J. Haggerty, D. Gresty, P. Almond, and T. Berry, "Forensic Multidisciplinary and Interdisciplinary Computing, 2017, pp. 5-12.
investigation of social networking applications," Network Security, vol. [38] A. Azfar, K. K. R. Choo, and L. Liu, "Forensic taxonomy of Android
2014, no. 11, pp. 9-16, 2014. social apps," Journal of forensic sciences, vol. 62, no. 2, pp. 435-456,
[17] D. Weiss and G. Warner, "Tracking Criminals on Facebook: A Case 2017.
Study From A Digital Forensics REU Program," in Proceedings of the [39] A. Azfar, K.-K. R. Choo, and L. Liu, "Forensic taxonomy of android
Conference on Digital Forensics, Security and Law, 2015, p. 205: productivity apps," Multimedia Tools and Applications, vol. 76, no. 3,
Association of Digital Forensics, Security and Law. pp. 3313-3341, 2017.
[18] Y.-J. Jang and J. Kwak, "Digital forensics investigation methodology [40] A. Azfar, K. K. R. Choo, and L. Liu, "An android communication app
applicable for social network services," Multimedia Tools and forensic taxonomy," Journal of forensic sciences, vol. 61, no. 5, pp.
Applications, vol. 74, no. 14, pp. 5029-5040, 2015. 1337-1350, 2016.
[19] B. Cusack and S. Alshaifi, "Mining social networking sites for digital
evidence," 2015.
[20] Y.-J. Jang and J. Kwak, "Social network service real time data analysis
process research," in Frontier and Innovation in Future Computing and
Communications: Springer, 2014, pp. 643-652.
[21] N. B. Al Barghuthi and H. Said, "Social networks IM forensics:
Encryption analysis," Journal of Communications, vol. 8, no. 11, pp.
708-15, 2013.
[22] N. Shafqat, "Forensic Investigation of User's Web Activity on Google
Chrome using various Forensic Tools," International Journal of
Computer Science and Network Security (IJCSNS), vol. 16, no. 9, p. 123,
2016.
[23] F. Norouzizadeh Dezfouli, A. Dehghantanha, B. Eterovic-Soric, and K.-
K. R. Choo, "Investigating Social Networking applications on
smartphones detecting Facebook, Twitter, LinkedIn and Google+
artefacts on Android and iOS platforms," Australian journal of forensic
sciences, vol. 48, no. 4, pp. 469-488, 2016.
[24] N. Al Mutawa, I. Baggili, and A. Marrington, "Forensic analysis of social
networking applications on mobile devices," Digital Investigation, vol.
9, pp. S24-S33, 2012.
[25] Y. Mohd Najwadi and A. Dehghantanha, "Network traffic forensics on
Firefox Mobile OS: Facebook, Twitter and Telegram as case studies,"
2016.
[26] M. Yusoff, A. Dehghantanha, and R. Mahmod, "Forensic Investigation
of Social Media and Instant Messaging Services in Firefox OS:
Facebook, Twitter, Google+, Telegram, OpenWapp, and Line as Case
Studies."
[27] M. Moltisanti, A. Paratore, S. Battiato, and L. Saravo, "Image
Manipulation on Facebook for Forensics Evidence," Cham, 2015, pp.
506-517: Springer International Publishing.
[28] N. A. Mutawa, I. A. Awadhi, I. Baggili, and A. Marrington, "Forensic
artifacts of Facebook's instant messaging service," in 2011 International
Conference for Internet Technology and Secured Transactions, 2011, pp.
771-776.
[29] H. C. Chu, D. J. Deng, and J. H. Park, "Live Data Mining Concerning
Social Networking Forensics Based on a Facebook Session Through
Aggregation of Social Data," IEEE Journal on Selected Areas in
Communications, vol. 29, no. 7, pp. 1368-1376, 2011.
[30] K. Wong, A. Lai, J. Yeung, W. Lee, and P. Chan, "Facebook forensics,"
Valkyrie-X Security Research Group, 2011.
[31] J. Oh, S. Lee, and S. Lee, "Advanced evidence collection and analysis of
web browser activity," Digital Investigation, vol. 8, pp. S62-S70,
2011/08/01/ 2011.
[32] M. Mulazzani, M. Huber, and E. Weippl, "Social network forensics:
Tapping the data pool of social networks," in Eighth Annual IFIP WG,
2012, vol. 11.
[33] G. Grispos, W. B. Glisson, D. Bourrie, T. Storer, and S. Miller, "Security
Incident Recognition and Reporting (SIRR): An Industrial Perspective,"
in Twenty-third Americas Conference on Information Systems, Boston,
2017: Americas Conference on Information Systems.
[34] S. Hoolachan and W. B. Glisson, "Organizational Handling of Digital
Evidence," in The 2010 ADFSL Conference on Digital Forensics,
Security and Law, St. Paul, Minnesota, USA, 2010: Association of
Digital Forensics, Security and Law.
[35] A. Mendoza, A. Kumar, D. Midcap, H. Cho, and C. Varol, " BrowStEx:
A tool to aggregate browser storage artifacts for forensic analysis,"
Digital Investigation, vol. 14, pp. 63-75, 2015.
[36] J. H. Choi, K. Lee, J. Park, C. Lee, and S. Lee, "Analysis Framework to
Detect Artifacts of Portable Web Browser," Lecture Notes in Electrical
Engineering, vol. 180, pp. 207-214, 2012.
1445