Social Network Forensics: evidence extraction tool capabilities
The introduction of Social Networking Sites (SNSs) in recent years caused an explosion in consumer participation and these sites now attract hundreds of millions of users from around the world. Likewise, blogs and wikis are increasingly popular Web 2.0 venues that can evolve into formal communities of interest, providing significant knowledge-sharing and learning opportunities. Used appropriately, these venues therefore represent a valuable public space. Unfortunately, because a majority of the users of these sites are young people, the sites also tend to attract online predators and others who would exploit the sites. It is opportune to review and test the capability of different Digital Forensic tools that have practical application in the extraction of potential evidence from SNSs such as FacebookTM, TwitterTM, LinkedIn and Google+TM, in the event of criminal activity.
This research evaluates evidence extraction tools in a systematic and forensically sound manner and based on the findings of the literature review in this research, to measure the capability of extracting evidence from SNSs in different test scenarios. The research question underpinning this research asks whether the existing digital forensic tools have enable forensic investigators to enhance investigative process, and what features there are in each tool that can collect evidence from SNSs. This research will explore evidence extraction tool capabilities by posing the following main research question:
What are the capabilities of the 3 chosen tools to collect and analyse evidence from Social Networking Sites in a digital forensic investigation?
There are volumes of blog articles and ACM publications on social network technologies that reflect research in a full range of related topics. However, although there is a large body of literature on social networks generated since 2009, there are only a few articles on forensics in SNSs. The available literature is concerned with the impact of social networking on society in general, rather than how to find evidence from social networking sites.
In the proposed research, a samples of three software tools are evaluated for capability after a thorough review from literature about the available tools. A simulated social networking site is constructed in a controlled environment, and then stress-tested. The three selected tools are used to extract social network chat or web pages from allocated space on a hard disk partition, from unallocated space, and generated log data. Each tool is assessed for scope and capability. Advice on best practice for compliance with forensic data acquisition principles can be made based on performance. These outcomes can contribute to gaps in the current literature on conducting digital forensics investigation for SNSs.
The research found that evidence extraction from SNSs is complex as evidence is typically not saved on the hard drive, and artifacts are stored in many different places, depending on a number of variables. Given that the data exchange in question creates largely volatile data for which no guarantee of later data retrieval is given, all tools attempting to recover SNS data as evidence meet this condition as a fundamental constraint. There is no guarantee of the survivability of data created during user interaction with SNSs. Field testing results shows that some tools can extract Facebook Chat messages but no other details, some tools could recover send dates and times for chat messages as well as users ID, and detailed messages. The research testing results provide an understanding of the capability of the evidence extraction tools. The findings help the forensic examiner determine the accuracy and effectiveness they can expect when they need to use a particular tool.
The tools evaluated in this research, for their strengths and weaknesses, can dramatically improve the efficiency of a knowledgeable forensic examiner. The research findings presented may be valuable for law enforcement agents and digital forensic investigators in identifying current issues and limitations of the tools, and for software vendors to recognise the limitations of the tools, so that they can improve the tools for better extraction capability. It is hoped that the research findings may contribute to the future development of a social network artifact extraction tool, or to the enhancement of existing tools.