Assessing the availability of forensic evidence from social networking sites: tool capability

Date
2016
Authors
Alshaifi, Saud
Supervisor
Cusack, Brian
Item type
Thesis
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Publisher
Auckland University of Technology
Abstract

The evolution and popularity of Online Social Networking Sites (OSNSs) has produced a new platform for communications and collaborations. Features provided by OSNSs allow users to share information in different types of digital forms such as pictures, text messages, audios, and videos, and for different purposes of use such as social communication, advertisements, online dating, and learning. Due to the public space that OSNSs offer, many users have become psychologically attached to the continuous use of these sites, as they can freely share information about themselves including opinions, feelings, beliefs, locations, and relationships. Thus, OSNSs hold a vast amount of information about individuals, organizations, and governments. OSNSs unfortunately are getting used for crime and illegal activities, including drug dealing, fraud, terrorism, child pornography and so on. Consequently, they have become a source of forensic evidence that can be used in courts of law. However, there is insufficient research that is focused on extracting forensic evidence from OSNSs, and also there are no forensic tools that are designed exclusively for OSNSs forensic investigation. Moreover, several digital forensic tools may have the ability to extract OSNSs artefacts but remain untested. Thus, it is crucial to review and evaluate the capability of these tools in extracting admissible forensic evidence.
The purpose of conducting this research is to evaluate three digital forensic tools in terms of recovering forensic evidence from Facebook, Twitter, Instagram, Bayt, and LinkedIn; and to identify the scope of evidence using three different browsers. This research also aims to identify the location and sources that store OSNSs forensic evidence. The testing research was conducted in a laboratory environment based on an exploratory approach. In the preliminary test, functions, and types of data acceptable in each OSNS are identified. Two separate case scenarios were used to generate data using three browsers and to populate the respective test sites. Digital forensic investigation was carried out using three digital forensic tools, which are validated using the SWGDE approach for tool validation testing. Browser files stored in the hard drive, RAM, and pagefile.sys were all examined by the three tools in order to assess the scope and the capabilities. Advice for forensic investigators and guidelines for forensic investigation of OSNSs were developed based on the data collected. The findings from this research showed that extracting forensic evidence from OSNSs is difficult, as artefacts are stored in different locations that are variable. The choice of a web browser used to investigate OSNSs directly influences the scope of digital evidence obtained. Moreover, vital forensic evidence such as Facebook messages, Tweets, and wall posts can be recovered only from RAM and pagefile.sys. It was discovered that the selected digital forensic tools cannot extract the entire evidence available. This is due to the fact that OSNSs activities are not guaranteed to be stored on the computer system. However, the selected digital forensic tools have succeeded in reconstructing sufficient evidence that determines the possibility of illegal, and criminal activities through OSNSs. The findings show that some tools can recover private messages sent and received on Facebook, LinkedIn, and Bayt, and some tools can also recover the message metadata such as unique message ID, sender and receiver names and IDs, date and times of the messages. The findings of this research provide a comprehensive understanding of the capability, strengths, and weaknesses of the selected tools, and the recoverable OSNSs forensic evidence, which can assist forensic investigators, and law enforcement personnel when conducting similar investigations. Opportunities for future research and development in the area of online social network forensics are also listed.

Description
Keywords
Digital forensics , Social network forensics , Tool evaluation , Online Social Networking Sites , Browser forensics , Investigation guideline , Forensic investigation , Digital forensic tools , Network forensics
Source
DOI
Publisher's version
Rights statement
Collections