Wednesday, 22 April 2009

Facebook revisited and other chat related stuff

My blog post about facebook chat generated a lot more email than usual.

In particular Jad Saliba wrote about a program he has written to search for and report on facebook chat. Jad's program is called Internet Evidence Finder and essentially at this time it searches for Facebook chat, Facebook pages, Yahoo chat and MSN chat. Jad points out that the program may be useful in a non Encase shop and I agree. In fact it will be useful anywhere as it did a very good job.

I have had some fun testing it today and found that it parses all the messages that my two previously documented methods had found. I used the program by mounting the drive image I wished to search with Encase PDE and then running the program across the mounted drive. On my box the search ran at a speed of about 27 MB/sec. The resulting spreadsheet was nicely formatted and gave the Physical Sector of each hit. Jad's program is freeware and can be found at

With respect to MSN chat and the other chat clients Jad's website deal with what can be achieved. In testing I am running right now with MSN a large number of false positives have been found however this is probably the nature of the beast.

Now before someone mentions tool validation my view is that I don't validate my tools - I validate my results. Generally I do this with dual tool verification as in the example above.

Till next time...


Steve W said...

Nice addition to the FaceBook tools that are starting to pop up, I will definitely give this a whirl in the next few days and compare it to a case I recently did using the 'J3' spreadsheet method & will post back.

Keep churning out those sausages!

Artemis said...


I downloaded Jad Saliba's program and ran it against a 250 Gb physical disk. It took 5 hours to complete, which wasn't a problem as I ran it overnight. I was interested in recovering Facebook chat fragments and like you thought that it did a really good job.

It extracted 205 chat fragments. The spreadsheet was as you say nicely formatted and I particularly liked the fact that it identified the Physical Sector of each hit. There were several date time stamps that appear out of sync and so I can go to the Physical Sector and as you say verify the 13 digit unix timestamps manually by one of your previously documented methods.

I'll report back when I've done so. All in all a good program.



Artemis said...

I mentioned in my previous post about some date time stamps that appeared suprious.

Some of the strings of chat that Jad's application had extracted had the 13 digit Unix time stamp that according to his program gave times in the future. i.e. 02/08/2009 at xxxx hrs.

When I viewed the actual physical sectors where the data was found I copied the string with the timestamp and used Craig Wilsons 'decode' to corroborate the data. Craigs program revealed that the string decoded to 08/02/2009 at xxxx hrs. This fits entirely with the case. I then went through numerous other spurious time stamps, and they all showed the same error.

On a positive side the fact that Jad's program revealed the physical sector allowed me to go straight to the chat fragment and use decode to corroborate the time stamp. The vast majority of time stamps were correctly decoded it was just a few where the time was clearly wrongly decoded. I'll pass my findings on to him.

I think this also reinforces Richard's view of the importance of validating results.

DC1743 said...


Looks like a US v UK date issue to me.


Artemis said...

That's immediately what I thought Richard, except there were only a few of the dates parsed out wrongly and others were correct i.e in UK format that couldn't be in US format. 29/04/09 etc. As I mentioned previously at least I can manually check any spurious results.

Enjoy reading your Blog


computerhelp said...

Hi! I was trying to get back some chat history on facebook that was really important and I tried this Internet Evidence Finder... I downloaded it and filled all the stuff outbut when i click start, it says error opening drive? it only gives me two drive choices c: and d: and when i try d: it says getting getting disk size please choose a different source. or else there the choose file option. but how in world would my files help recover facebook chat? I don't know much about computers. Lol I just want that one chat back. I still have it on my facebook, but the most important stuff is at the beginning and I guess facebook must have deleted it because was too long. Anyways anybody help?

Anonymous said...


I had the same problem. I have now noticed a comment lower down on Jag's site regarding Windows Vista and this error. The solution is to right click on the program icon and select "run as administrator". You'll then have access to the drives you want. I've done this and it now works perfectly!

Artemis said...

Saw this post on the Sans Blog about Facebook artifacts in RAM thought that it may be of interest.