[Tài liệu] Facebook Forensics
many cases involve potential grooming offences in which the use of Facebook platform and
Facebook App for mobile needs to be investigated. As various activities such as instant chats, wall
comments and group events could create a number of footprints in different memory locations, the
purpose of this study is to discover their evidences on various platforms or devices.
The analysis process mainly uses various physical and logical acquisition tools for memory
forensics, as well as Internet evidence finding tools for web browser cache searching or rebuilding.
After locating the evidence of a Facebook activity, its footprints could be examined by referring to
the response from corresponding Facebook communication. The same activity may be tested
several times with different contents to increase the accuracy.
Throughout the research, there are some significant findings. Facebook core objects could be
located in different memory units including RAM, browser cache, pagefiles, unallocated clusters
and system restore point of a computer. More importantly, these findings are matched with those
in virtual machines and the corresponding snapshot images. Although separate sets of results are
obtained from iPhone or Android phone due to the difference between Facebook App and a
standard web browser, evidence could still be located in the file system using mobile device