Artifacts

Posts Tagged ‘messages’


Facebook Artifacts

Posted by:  /  Tags: , , , ,  /  Comments: 1

Frank McClain

Metadata from Posts, Comments, and Messages

Facebook artifacts for Post, Comment, Message (not necessarily in that order):

Comment (ampersand separated):
charset_test=
fb_dtsg=AQDnBZEP
feedback_params={“actor”:”4286109357″,”target_fbid”:”8457139026″,”target_profile_id”:”4286109357″,”type_id”:”22″,”assoc_obj_id”:””,”source_app_id”:”0″,”extra_story_params”:[],”content_timestamp”:”1336396534″,”check_hash”:”BEOzzl5d9kPtd56X”,”source”:”1″}
translate_on_load=
add_comment_text_text=mmm, chocolate muffins…;)
add_comment_text=mmm, chocolate muffins…;)
link_data={“qid”:”5997325849936326255″,”mf_story_key”:”1055615292714765287″}
comment_replace=optimistic_comment_8228420818_0
comment=1
__user=1181507002
phstamp=165816811066906980789

Notes: Actor and Target_Profile_ID refers to the original post author. Target_FBID is apparently the author of the previous comment. Facebook user IDs encountered during research were 10-digit numeric. Content_Timestamp is Unix format.

Post (ampersand separated):
fb_dtsg=DGRnKTIV
xhpc_composerid=y6ud29_4
xhpc_targetid=1181507002
xhpc_context=home
xhpc_fbx=1
xhpc_timeline=
xhpc_ismeta=1
xhpc_message_text=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
xhpc_message=If I can find a post cached on my system, why does it not show up in my pcap? It’s somewhat rhetorical; I *will* find it.
composertags_place=
composertags_place_name=
composer_predicted_city=
composer_session_id=3867336142
is_explicit_place=
audience[0][value]=40
composertags_city=
disable_location_sharing=false
nctr[_mod]=
pagelet_composer __user=1181507002
phstamp=165816811066906980749

Notes: XHPC_TargetID and Pagelet_Composer_User are both the post author’s Facebook ID.

Message (comma separated):
for (;;);{“__ar”:1
“payload”:{“threads”:[{“thread_id”:”id.489415769211708″
“last_action_id”:”1891362734339000000″
“participants”:[“fbid:1181507002″,”fbid:1504162673”]
“name”:null,”snippet”:”this is a test. i’m looking for forensic artifacts… :)”
“snippet_has_attachment”:false
“is_forwarded_snippet”:false
“snippet_attachments”:[]
“unread_count”:0
“image_src”:””
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“timestamp”:1336268935102
“is_canonical_user”:true
“is_subscribed”:true
“is_canonical_group”:false
“group_id”:null
“is_canonical_live_listen”:false
“live_listen_id”:null
“is_chatlogger_thread”:false
“root_message_threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“folder”:”inbox”
“is_archived”:false,”chat_clear_time”:-9223372036854775808
“mode”:2}]
“actions”:[{“message_id”:”id.489415769211708″
“threading_id”:”\u005Q9YO9TyvIIwiNeg75i3DSjanpwiI6QMqXP\u0050messages.facebook.com>”
“author”:”fbid:1181507002″
“timestamp”:1336268935102
“timestamp_absolute”:”Sat, 05 May 2012 18:48:55 -0700″
“timestamp_relative”:”5 minutes ago”
“is_unread”:false
“is_forward”:false
“forward_count”:0
“forward_message_ids”:null,”source”:”source:titan:web”
“folder”:”inbox”,”body”:”this is a test. i’m looking for forensic artifacts… :)”
“subject”:null
“has_attachment”:false
“attachments”:[]
“raw_attachments”:null
“is_html”:false
“thread_id”:”id.489415769211708″
“action_id”:”1891362734339000000″
“action_type”:”ma-type:user-generated-message”}]
“end_of_history”:[{“type”:”thread”,”id”:”id.489415769211708″}]
“roger”:null
“payload_source”:”server_fetch_thread_info”}}

Notes: Last_Action_ID and Action_ID are the same. Payload, Actions, Thread_ID, and End_of_History all contain the same number, referred to as a message or thread ID. Timestamp (twice) is Unix format. Root_Message_Threading_ID and Threading_ID are the same; this may refer to a profile path.

Filetype: PCAP

Applications Used:

Wireshark
tshark
DIgitalDetective DCode
Woanware Encoder

Notes: 

Evidence was collected by running Wireshark while creating user content on Facebook РPosts, Comments, and Messages. Text-searching did not always work as anticipated (ie, finding my keywords), so I also converted the pcap to text using tshark, and ended up creating additional Facebook content to extend testing.  This was all performed on a Windows system, no portable apps or devices were used.

I cleaned up the content, transforming URL encoding into ASCII, split out into individual lines, etc. The parenthetical statement for each content type indicates the separator. All metadata associated with the user content has been randomly changed (while preserving the format) to anonymize. Timestamps are the exception.

I have not tried to determine “what it all means.” My main goal was to determine the artifacts differentiating a post, message, and comment.