tag:blogger.com,1999:blog-5057815281194312844.post8087334038870511928..comments2024-03-26T19:09:27.512+00:00Comments on Forensics from the sausage factory: Facebook revisited and other chat related stuffDC1743http://www.blogger.com/profile/14186532367794900206noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-5057815281194312844.post-84416245403203837212009-11-25T07:17:02.986+00:002009-11-25T07:17:02.986+00:00Saw this post on the Sans Blog about Facebook arti...Saw this post on the Sans Blog about Facebook artifacts in RAM thought that it may be of interest.<br /><br />http://blogs.sans.org/computer-forensics/2009/11/20/facebook-memory-forensics/Jim Gordonhttps://www.blogger.com/profile/05769447299537779948noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-58229946682568636762009-11-13T00:32:38.540+00:002009-11-13T00:32:38.540+00:00computerhelp,
I had the same problem. I have now...computerhelp,<br /><br />I had the same problem. I have now noticed a comment lower down on Jag's site regarding Windows Vista and this error. The solution is to right click on the program icon and select "run as administrator". You'll then have access to the drives you want. I've done this and it now works perfectly!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-85421027557922647942009-11-10T09:32:59.646+00:002009-11-10T09:32:59.646+00:00Hi! I was trying to get back some chat history on ...Hi! I was trying to get back some chat history on facebook that was really important and I tried this Internet Evidence Finder... I downloaded it and filled all the stuff outbut when i click start, it says error opening drive? it only gives me two drive choices c: and d: and when i try d: it says getting getting disk size please choose a different source. or else there the choose file option. but how in world would my files help recover facebook chat? I don't know much about computers. Lol I just want that one chat back. I still have it on my facebook, but the most important stuff is at the beginning and I guess facebook must have deleted it because was too long. Anyways anybody help?computerhelpnoreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-16379020142236141362009-05-18T21:26:00.000+01:002009-05-18T21:26:00.000+01:00That's immediately what I thought Richard, except ...That's immediately what I thought Richard, except there were only a few of the dates parsed out wrongly and others were correct i.e in UK format that couldn't be in US format. 29/04/09 etc. As I mentioned previously at least I can manually check any spurious results.<br /><br />Enjoy reading your Blog<br /><br />JimJim Gordonhttps://www.blogger.com/profile/05769447299537779948noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-25053704774402717332009-05-18T11:23:00.000+01:002009-05-18T11:23:00.000+01:00Jim,
Looks like a US v UK date issue to me.
Rega...Jim,<br /><br />Looks like a US v UK date issue to me.<br /><br />RegardsDC1743https://www.blogger.com/profile/14186532367794900206noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-79839590450630844452009-05-18T11:04:00.000+01:002009-05-18T11:04:00.000+01:00I mentioned in my previous post about some date ti...I mentioned in my previous post about some date time stamps that appeared suprious.<br /><br />Some of the strings of chat that Jad's application had extracted had the 13 digit Unix time stamp that according to his program gave times in the future. i.e. 02/08/2009 at xxxx hrs. <br /><br />When I viewed the actual physical sectors where the data was found I copied the string with the timestamp and used Craig Wilsons 'decode' to corroborate the data. Craigs program revealed that the string decoded to 08/02/2009 at xxxx hrs. This fits entirely with the case. I then went through numerous other spurious time stamps, and they all showed the same error. <br /><br />On a positive side the fact that Jad's program revealed the physical sector allowed me to go straight to the chat fragment and use decode to corroborate the time stamp. The vast majority of time stamps were correctly decoded it was just a few where the time was clearly wrongly decoded. I'll pass my findings on to him.<br /><br />I think this also reinforces Richard's view of the importance of validating results.Jim Gordonhttps://www.blogger.com/profile/05769447299537779948noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-9663826081354234262009-04-25T12:06:00.000+01:002009-04-25T12:06:00.000+01:00Richard,
I downloaded Jad Saliba's program and ra...Richard,<br /><br />I downloaded Jad Saliba's program and ran it against a 250 Gb physical disk. It took 5 hours to complete, which wasn't a problem as I ran it overnight. I was interested in recovering Facebook chat fragments and like you thought that it did a really good job.<br /><br />It extracted 205 chat fragments. The spreadsheet was as you say nicely formatted and I particularly liked the fact that it identified the Physical Sector of each hit. There were several date time stamps that appear out of sync and so I can go to the Physical Sector and as you say verify the 13 digit unix timestamps manually by one of your previously documented methods.<br /><br />I'll report back when I've done so. All in all a good program.<br /><br />Regards<br /><br />JimJim Gordonhttps://www.blogger.com/profile/05769447299537779948noreply@blogger.comtag:blogger.com,1999:blog-5057815281194312844.post-21414878118017745572009-04-22T20:33:00.000+01:002009-04-22T20:33:00.000+01:00Nice addition to the FaceBook tools that are start...Nice addition to the FaceBook tools that are starting to pop up, I will definitely give this a whirl in the next few days and compare it to a case I recently did using the 'J3' spreadsheet method & will post back.<br /><br />Keep churning out those sausages!Steve Wnoreply@blogger.com